search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

bareli - wrong implement of "permit" #83

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

bareli

medium

wrong implement of "permit"

Summary

we should add owner for calculating structHash.

Vulnerability Detail

function permit(address spender, uint256 tokenId, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual { require(block.timestamp <= deadline, "ERC721Permit: expired deadline");

    address owner = ownerOf(tokenId);

@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, spender, tokenId, _useNonce(owner), deadline));

    bytes32 hash = _hashTypedDataV4(structHash);

    address signer = ECDSA.recover(hash, v, r, s);
    require(signer == owner, "ERC721Permit: invalid signature");

    _approve(spender, tokenId);
}

Impact

structHash is not implemented correctly.There may be some multiple permit for same owner.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/util/ERC4494.sol#L49C78-L49C85

Tool used

Manual Review

Recommendation

function permit(address spender, uint256 tokenId, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual { require(block.timestamp <= deadline, "ERC721Permit: expired deadline");

    address owner = ownerOf(tokenId);

@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH,owner, spender, tokenId, _useNonce(owner), deadline));

    bytes32 hash = _hashTypedDataV4(structHash);

    address signer = ECDSA.recover(hash, v, r, s);
    require(signer == owner, "ERC721Permit: invalid signature");

    _approve(spender, tokenId);
}
cryptotechmaker commented 5 months ago

Invalid

nevillehuang commented 5 months ago

Invalid, I don't see the issue here, function implementation is consistent