Closed sherlock-admin3 closed 4 months ago
Escalate
Duplicate of #273
Escalate
Duplicate of #273
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #273
Result: Medium Duplicate of #273
Bigsam
medium
Vulnerability Report: Denial-of-Service Attack Risk Due to Inadequate Signature Verification in Contract
Summary
EIP1271 ensures that the signature used by the contract is either being called by the contract owner or on behalf of. The contract is vulnerable to potential denial-of-service attacks due to flaws in its signature verification process. The contract uses a modifier
checkSignature(bytes32 edgeId, bytes calldata data, bytes calldata signature)
to validate the signer's address and the data, which is utilized in two functions:acknowledgeEdge
andunacknowledgeEdge
. However, there is a significant flaw as it does not validate the ownership of theedgeId
with_isCreatorOrEntity(edges[edgeId_].to, msg.sender)
when used within the functions, potentially allowing unauthorized users to exploit the system.Vulnerability Detail
The vulnerability lies in the
checkSignature
modifier, which is intended to verify the signer's address and validate the data. The flaw arises when this modifier is used within theacknowledgeEdge
andunacknowledgeEdge
functions without verifying the ownership of theedgeId
. This oversight allows malicious users to potentially compromise the system by misusing the validated inputs before the actual owner can access them.Impact
Once a signature has been verified and used before the real owner (user) calls/executes the intended function the function reverts. The susceptibility to this vulnerability exposes the contract to potential denial-of-service attacks and unauthorized access. Malicious users can exploit the flawed signature verification process to perform unauthorized actions, leading to disruptions in the contract's functionality.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L39-L50
Reference to Validation in solady https://github.com/Vectorized/solady/blob/91d5f64b39a4d20a3ce1b5e985103b8ea4dc1cfc/src/utils/SignatureCheckerLib.sol#L117-L203
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L108
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L118-L124
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L136
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L146-L152
Tool used
Manual Review
Recommendation
To mitigate this vulnerability, it is crucial to include a validation check to ensure that the address calling the function is the actual owner of the
edgeId
. This can be achieved by incorporating a check within thecheckSignature
modifier to verify the ownership using_isCreator(edges[edgeId].to.creator.target., msg.sender)
OR_isCreatorOrEntity(edges[edgeId].to.creator.target., msg.sender)
. By adding this validation, the contract can enhance its security measures and prevent potential exploitation by malicious users.Duplicate of #273