Closed sherlock-admin4 closed 2 months ago
Escalate
This should be a separate issue, since it talks about compact signatures, have nothing to do with #273
Escalate
This should be a separate issue, since it talks about compact signatures, have nothing to do with #273
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #279
@WangSecurity, please review this escalation. It is not a duplicate of #279, but a different family instead. The problem described is not malleability. It's replayability caused by using the compact version of an already used signature
@ZdravkoHr correct if I'm wrong, but this issue can be mitigated if we use a hash of the signed data and put it intoisUsed
modifier instead of a hash of the signature?
@WangSecurity , I think that's correct
Then, I believe two reports (this one and #279) identify the same core issue -> the users are able to use another signature for the same message, the impacts are also the same -> the user can acknowledge an edge again, and the fix is also the same -> use the hash of signed data rather than the hash of signature. With that, I believe it should be duplicated with #279
Planning to accept the escalation and duplicate the issue with #279
@WangSecurity, i believe the root cause is different. Both issues show how a signature can be used twice, but if you theoretically don't fix these issues, each signature can be used 4 times
But both of them are fixed if the hash of signed data is used as you agreed above. And what do you mean by core issue is different? As I understand, in both issues it's "it is possible to produce another valid signature for the same message", but please correct me if I'm missing something. I see that your report is about compact signature, while the #279 is about regular signature. But, as I see it, both of these lead to the same core issue.
Yeah, the impact is the same, but in #279 the reason is that the signature is malleable. In this issue the replayability doesn't come from this malleability, but because the contract will accept both the compact and standard version.
For example, if the underlying code had checks for the s
value of the signature, so it's not malleable, this issue would still have been possible.
That's what I meant by saying that each of these issues show how a signature can be used twice, but if you leave them not fixed, when you combine them, you can use one signature not twice, but 4 times.
I agree with your thoughts, but still this issues lead to the same impact of being able to acknowledge an edge more than once and the impact is the same as well (I understand that there are several possible fixes and checks for s
value wouldn't fix the problem with compact signature, but using the hash of signed data would prevent both). Moreover, I see the root issue here is that the user is able to create another signature for the same message (be that compact signature or not), therefore, I believe it should be a duplicate. Hope for your understanding.
Decision remains the same, accept the escalation and duplicate with #279
Okay, @WangSecurity. Thanks for discussing!
and thank you for that calm and thoughtful discussion @ZdravkoHr
Result: Medium Duplicate of #279
ZdravkoHr.
medium
TitlesGraph
signatures are replayable because of a compact signature vulnerabilitySummary
The TitlesGraph contract is vulnerable to
compact signature replayability
. Because of this, any party can execute an already used signature for a second time.Vulnerability Detail
Ethereum signatures are 65 bytes long and consist of (r, s, v). EIP-2098 introduces the idea of compact signatures, where the signatures become 64 bytes long instead and are in the form
(r, v, s)
, where the first byte of the originals
value is cut because it's always zero.TitlesGraph
uses SignatureCheckerLib which supports both normal and compact signatures.The
TitlesGraph
contract hashes a signature and records it in the_isUsed
mapping to ensure the same signature cannot be used twice. However, anyone can pass the compact version of the signature and bypass this check, because the resulting hash will be different from what is saved in the mapping.Here is a coded PoC in Foundry that demonstrates how an user (Alice) acknowledges an edge via signature. After that Alice changes her mind and unacknowledges the edge. Since the contract accepts compact signatures, anyone can use it to acknowledge the edge again.
NOTE: For simplicity, the following function has to be added to TitlesGraph before running the PoC.
The actual test to be run in TitlesCore.t.sol
Impact
For each valid signature, there exists a valid compact signature that anyone can use to replay the original signature.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/graph/TitlesGraph.sol#L40C1-L50C6 https://github.com/Vectorized/solady/blob/91d5f64b39a4d20a3ce1b5e985103b8ea4dc1cfc/src/utils/SignatureCheckerLib.sol#L44-L64
Tool used
Foundry
Recommendation
A possible solution may be the following change in the hashing step:
Duplicate of #279