Message digest does not include the type of operation

Summary

Functions that are used to acknowledge and unacknowledge the edges in TitlesGraph contract use exactly the same digest when verifying the signature. That is because the digest does not include the value which states whether it is actually an acknowledge or unacknowledge.

The attacker can front-run the user and use their signature to execute the opposite operation.

Vulnerability Detail

The functions that accept signature parameter, which are: acknowledgeEdge(bytes32 edgeId_, bytes calldata data_, bytes calldata signature_) and unacknowledgeEdge(bytes32 edgeId_, bytes calldata data_, bytes calldata signature_), use the same parameters to generate the message digest (that is bytes32 digest = _hashTypedData(keccak256(abi.encode(ACK_TYPEHASH, edgeId, data)));).

The same signature can be used to acknowledge and unacknowledge the edge. The attacker could front-run the transaction with a correct signature and execute another transaction with changed value and the same signature, resulting in the opposite operation.

Impact

The attacker can front-run the user and use the signature to unacknowledge the edge which is being acknowledged (and the opposite way).

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L40-L50

Tool used

Manual Review

Recommendation

Include the boolean value in the message digest (the structHash param of EIP712).

Duplicate of #273

ccashwell commented 2 months ago

Signature re-use is not possible due to its inclusion in _isUsed, and front-running isn't a concern for this as there's no value for an attacker to do so.