Closed sherlock-admin2 closed 5 months ago
Invalid issue.
The watson omitted the _getDigest()
function in their code example, which is the one including \x19\x01
and the domain separator:
1 comment(s) were left on this issue during the judging contest.
takarez commented:
observing the Readme, this should be valid; medium(1)
Invalid, agree with sponsor comments here
xiaoming90
medium
Update Collateral Digest does not conform to EIP-712
Summary
The Update Collateral Digest does not conform to EIP-712.
Vulnerability Detail
Per the Sherlock's contest page, it stated that the code is expected to comply with EIP-712. As such, any non-compliance to EIP-712 found during the contest is considered valid.
Per the EIP-712, the digest to be signed must be in the following format:
However, the update collateral digest used by the Minter Gateway does not conform to this requirement. The digest does not include the
\x19\x01
and domain separator in the payload to be hashed.https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/MinterGateway.sol#L958
Impact
The minter gateway relies on the validator signatures to update the user's collateral value. EIP-712 is a standard dictating how to structure and sign data on Ethereum and should be followed closely to ensure compatibility with the EVM ecosystem.
Code Snippet
https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/MinterGateway.sol#L958
Tool used
Manual Review
Recommendation
Ensure that the digest adheres to the following EIP-712 format:
Duplicate of #12