Closed sherlock-admin3 closed 1 month ago
An ECDSA signature should never be used by a smart contract as part of a key meant to represent a unique signed action. This is unrelated to the permit functionality and is entirely the responsibility of the third party contract.
chaduke
High
Signature malleability problem, possibly leading to double allowance and spending.
Summary
The original signature can be manipulated into another signature that is still valid. If an external contract uses a transation Id based on the signature to check whether a permit has been used or not, then a double allowance and spending is possible. This might lead to loss of funds.
A double spending/allowance is a 100% loss, therefore, I mark this as high.
Root Cause
It is well known that Ethereum's
ecrecover
function is subject to the signature malleability problem; see: https://medium.com/draftkings-engineering/signature-malleability-7a804429b14aThe following function uses
ecrecover
and thus has a problem:https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/nst/src/Nst.sol#L191-L208
Internal pre-conditions
None
External pre-conditions
An external contract might use signature-based transactionId to check whether a permit signature has been used before. As a result, even though a variant of the original signature was executed, the external contract will think the original signature was not used. As a result, a new signature might be signed, and double spending becomes possible.
Attack Path
Initial Permit Setup:
Signature Malleability:
Signature Expiry and Reissuance:
Double Allowance:
Impact
It uses Ethereum's ecrecover, as a result, different signature is used to execute the transaction, making the original caller to think that the transaction didn't go through although it was successful, this can lead to double allowance and spending.
PoC
The function
manipulateSignature()
takes the original signature and generates a new signature, which is also valid.Below, we show how the malleability vulnerability can be exploited to mislead an owner (BobContract) to give twice allowance to a spender (SpenderContract), leading to double transfer of 5000 NSts.
Attack Scenario
Bob creates another valid signature since he thought the original transaction fails (
executedTransactions[txId] = false
). This allows double allowance and thus double transfers to occur, which is a loss of funds.Mitigation
Use the latest version of the OpenZeppelin ECDSA library.