Closed sherlock-admin closed 2 years ago
Lambda
medium
The signatures that are generated by a backend / trusted party do not include a nonce / replay protection and can be used multiple times.
CardTopupTrusted directly calls recoverSigner on the (formatted) payload and does not include any nonces or other forms of replay protection
CardTopupTrusted
recoverSigner
The same signature can be used for multiple approvals. I.e. a signature for 100 USDC can be used 10 times for topping up 1,000 USDC in total.
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L1033
Manual Review
Include a nonce.
Duplicate of #42
Lambda
medium
CardTopupTrusted signatures can be used multiple times / replayed
Summary
The signatures that are generated by a backend / trusted party do not include a nonce / replay protection and can be used multiple times.
Vulnerability Detail
CardTopupTrusteddirectly callsrecoverSigneron the (formatted) payload and does not include any nonces or other forms of replay protectionImpact
The same signature can be used for multiple approvals. I.e. a signature for 100 USDC can be used 10 times for topping up 1,000 USDC in total.
Code Snippet
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L1033
Tool used
Manual Review
Recommendation
Include a nonce.
Duplicate of #42