The isValidSignature function in AirdropRecipient.sol incorrectly returns bytes4(0xffffffff) for invalid signatures instead of reverting, violating the ERC-1271 standard. This erroneous behavior can be triggered whenever an external protocol or application interacts with the contract, attempting to verify a signature using this function.
3. Proof-of-Concept (PoC) Flow:
External Protocol Interaction: An external protocol, intending to verify a signature, interacts with the isValidSignature function, passing an invalid signature and its corresponding hash.
Incorrect Signature Validation: The isValidSignature function, using SignatureCheckerLib.isValidSignatureNow, determines that the signature is invalid.
Erroneous Return Value: Instead of reverting, as dictated by the ERC-1271 standard, the function returns bytes4(0xffffffff).
False Positive: The external protocol, unaware of this deviation from the standard, interprets bytes4(0xffffffff) as an indication of a valid signature.
4. Impact:
This bug can have severe consequences, particularly for the security and reliability of the AirdropRecipient contract:
False Positive Signature Verification: This can lead to the acceptance of forged approvals or execution of unauthorized actions by malicious actors. Imagine a scenario where airdrop claims are authenticated using signatures. A malicious actor could craft an invalid signature and use this bug to claim airdrops that they are not entitled to, depleting funds intended for legitimate recipients.
Bypassing Security Measures: External protocols, especially those responsible for critical operations like asset transfers or fund management, rely on the isValidSignature function for security. This bug essentially allows these security measures to be bypassed with an invalid signature.
Recommendation:
The code should be immediately rectified to strictly comply with the ERC-1271 standard. The isValidSignature function must revert for invalid signatures, ensuring robust security and preventing the possibility of exploitation.
Minato7namikazi
High
Non-Compliant ERC-1271 Signature Validation in AirdropRecipient Contract
Summary
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/utils/AirdropRecipient.sol#L58
The
isValidSignaturefunction inAirdropRecipient.solincorrectly returnsbytes4(0xffffffff)for invalid signatures instead of reverting, violating the ERC-1271 standard. This erroneous behavior can be triggered whenever an external protocol or application interacts with the contract, attempting to verify a signature using this function.3. Proof-of-Concept (PoC) Flow:
isValidSignaturefunction, passing an invalid signature and its corresponding hash.isValidSignaturefunction, usingSignatureCheckerLib.isValidSignatureNow, determines that the signature is invalid.bytes4(0xffffffff).bytes4(0xffffffff)as an indication of a valid signature.4. Impact:
This bug can have severe consequences, particularly for the security and reliability of the
AirdropRecipientcontract:isValidSignaturefunction for security. This bug essentially allows these security measures to be bypassed with an invalid signature.Recommendation:
The code should be immediately rectified to strictly comply with the ERC-1271 standard. The
isValidSignaturefunction must revert for invalid signatures, ensuring robust security and preventing the possibility of exploitation.