The CardTopupMPTProof() function verifies the signatures for authorization. However, signature without nonce is susceptible to replay vulnerability.
Vulnerability Detail
The SignedTransaction does not contain nonce, so the same signature could be reused. If the user mistakenly submitted the transaction multiple times, or due to network problem or congestions, the fund could be transferred unexpected.
Impact
Users funds could be transferred multiple times by the same signature submission, but not expected by the user.
141345
high
Signature replay
Summary
The
CardTopupMPTProof()function verifies the signatures for authorization. However, signature without nonce is susceptible to replay vulnerability.Vulnerability Detail
The
SignedTransactiondoes not contain nonce, so the same signature could be reused. If the user mistakenly submitted the transaction multiple times, or due to network problem or congestions, the fund could be transferred unexpected.Impact
Users funds could be transferred multiple times by the same signature submission, but not expected by the user.
Code Snippet
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L507-L515
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L1064
Tool used
Manual Review
Recommendation
Add nonce in the
SignedTransactionstruct.Duplicate of #42