Vulnerability Report: Denial-of-Service Attack Risk Due to Inadequate Signature Verification in Contract

Summary

EIP1271 ensures that the signature used by the contract is either being called by the contract owner or on behalf of. The contract is vulnerable to potential denial-of-service attacks due to flaws in its signature verification process. The contract uses a modifier checkSignature(bytes32 edgeId, bytes calldata data, bytes calldata signature) to validate the signer's address and the data, which is utilized in two functions: acknowledgeEdge and unacknowledgeEdge. However, there is a significant flaw as it does not validate the ownership of the edgeId with _isCreatorOrEntity(edges[edgeId_].to, msg.sender) when used within the functions, potentially allowing unauthorized users to exploit the system.

Vulnerability Detail

The vulnerability lies in the checkSignature modifier, which is intended to verify the signer's address and validate the data. The flaw arises when this modifier is used within the acknowledgeEdge and unacknowledgeEdge functions without verifying the ownership of the edgeId. This oversight allows malicious users to potentially compromise the system by misusing the validated inputs before the actual owner can access them.

Signer Authenticity: The isValidSignature function checks if the provided signature corresponds to the expected signer and the data hash. If msg.sender (the caller of the function) is validated as the owner of the signature without further checks, then anyone with access to a valid signature could potentially impersonate the signer.
Transaction Front-Running: If there's no additional context or verification in the contract to ensure that msg.sender is indeed the intended user of the signature.

Impact

Once a signature has been verified and used before the real owner (user) calls/executes the intended function the function reverts. The susceptibility to this vulnerability exposes the contract to potential denial-of-service attacks and unauthorized access. Malicious users can exploit the flawed signature verification process to perform unauthorized actions, leading to disruptions in the contract's functionality.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L39-L50

Reference to Validation in solady https://github.com/Vectorized/solady/blob/91d5f64b39a4d20a3ce1b5e985103b8ea4dc1cfc/src/utils/SignatureCheckerLib.sol#L117-L203

Check Present here

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L108

Absent for function with signature

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L118-L124

Check Present here

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L136

Absent for function with signature

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L146-L152

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, it is crucial to include a validation check to ensure that the address calling the function is the actual owner of the edgeId. This can be achieved by incorporating a check within the checkSignature modifier to verify the ownership using _isCreator(edges[edgeId].to.creator.target., msg.sender) OR _isCreatorOrEntity(edges[edgeId].to.creator.target., msg.sender). By adding this validation, the contract can enhance its security measures and prevent potential exploitation by malicious users.

Duplicate of #273