The known issues says Signature can be replayed: Backend will add nonce to the order type to prevent replay attacks.
But the order nonce is not checked on-chain.
Vulnerability Detail
This allows orders with the same nonce to be executed on-chain.
I suspect the backend checks the nonce but the backend needs to maintain nonce database records. The backend takes the responsbility of maintain the integrate of the db and this is not the web3 way.
Impact
Replay is still possible if the backend does not check the nonce or the backend loses nonce records.
n33k
high
Nonce is not checked on-chain
Summary
The known issues says
Signature can be replayed: Backend will add nonce to the order type to prevent replay attacks.But the order nonce is not checked on-chain.
Vulnerability Detail
This allows orders with the same nonce to be executed on-chain.
I suspect the backend checks the nonce but the backend needs to maintain nonce database records. The backend takes the responsbility of maintain the integrate of the db and this is not the web3 way.
Impact
Replay is still possible if the backend does not check the nonce or the backend loses nonce records.
Code Snippet
Order has a nonce field.
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/lib/Types.sol#L67-L77
But the nonce is not checked during order validation in
approveTrade.https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L129
Tool used
Manual Review
Recommendation
Record and check nonce on-chain.
Duplicate of #414