Closed sherlock-admin2 closed 1 year ago
Both nonces
and DOMAIN_SEPARATOR
are implemented in Ledger
. Lender
inherits from Ledger
, so it is EIP2612 compliant.
1 comment(s) were left on this issue during the judging contest.
MohammedRizwan commented:
valid medium since issue is breaking core EIP requirement in lender.sol and valid per sherlock rule.
nonce()
function is missing in Ledger. sol
, However there is nonces
mapping is present in Ledger.sol
. EIP2612 has MUST
requirement of nonce()
function, therefore the contract is not fully compliant with EIP-2612. Further, the DOMAIN_SEPARATOR()
used is incorrect and does not follow EIP-2612 which says DOMAIN_SEPARATOR is defined according to EIP-712.
Per the contest readme.md, Lender.sol is compliant with EIP2612.
Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of? The Lender complies with ERC4626 and EIP2612.
Per sherlock rules,
EIP Compliance: For issues related to EIP compliance, the protocol & codebase must show that there are important external integrations that would require strong compliance with the EIP's implemented in the code. The EIP must be in regular use or in the final state for EIP implementation issues to be considered valid
Therefore, i believe this issue is valid medium.
Escalate
Escalate on behalf of 0xRizwan
Escalate
Escalate on behalf of 0xRizwan
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
@jingyi2811
According to EIP712, the domain separator can be chosen as needed:
With regards to the nonce, the nonces
mapping is public so it's exposed just like a function.
Both of your arguments are invalid and the issue as a whole is invalid.
@roguereddwarf
I agree with your point, nonce mapping will return the output similar to function but if you see, EIP-2612 it explicitely indicates to add nonce()
function. The requirement here is "MUST" and not "SHOULD".
Further the mapping would be the part of nonce()
function.
For example:
mapping(address => uint) private _nonces;
function nonces(address owner) external view returns (uint) {
return _nonces[owner];
}
I agree with @roguereddwarf that this is invalid. The public variable creates a getter function that behaves the same. Any external integration would have no issue with that.
Planning to reject escalation and keep this issue invalid.
The contract already has a public mapping nonces
that can be called externally like an external function.
Agree with Trumpero
mapping(address => uint256) public nonces;
Will automatically provide the function nonces(address) external view returns(uint256)
function, so the issue is invalid.
Will reject escalation and keep issue state as is.
Result: Invalid Has duplicates
MohammedRizwan
medium
Lender.sol
is not fully compliant withEIP2612
Summary
Lender.sol
is not fully compliant withEIP2612
Vulnerability Detail
Per the contest readme.md,
Lender.sol
is compliant withEIP2612
.As per the
ERC-2612
which is used as permit Extension for EIP-20 Signed Approvals.1)
Permit()
is used in contract and the function is incompliance with EIP2612. 2)nonces()
is missing therefore theLender.sol
is not in compliance with EIP2612. It should be noted here thatnonce
function isMUST
requirement ofEIP2612
. Therefore this requirement can not be omitted. Per the defination ofMUST
as per RFC-2119Therefore, nonce() must be added in contract for proper compliance.
3)
DOMAIN_SEPARATOR()
is used incorrectly in contract. It should be noted thatLender.sol
inheritsLedger.sol
andDOMAIN_SEPARATOR()
is a part ofLedger.sol
DOMAIN_SEPARATOR()
used in the contract is given as below,The above given function does not comply the
EIP2612
as theEIP2612
states,The
DOMAIN_SEPARATOR
should be like this,Therefore,
DOMAIN_SEPARATOR()
should be corrected.Impact
Lender.sol
breaks the design integration withEIP2612
and could result in expected behaviour which is not desired. Being EIP2612 is the core requirement ofLender.sol
Code Snippet
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Ledger.sol#L128
Tool used
Manual Review
Recommendation
Correctly follow EIP2612. Add the
nonces()
function which is a must requirement here also correct theDOMAIN_SEPARATOR()
function as stated in EIP2612