Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

VULNERABLE ECDSA LIBRARY

0xepley

Summary

A vulnerability found in the ECDSA library developed by the OpenZeppelin team. OpenZeppelin team published a security advisory on GitHub on August 22nd, 2022. According to the vulnerability, recover and tryRecover functions are vulnerable, as those functions accept the standard signature format and compact signature format. (EIP-2098)

Vulnerability Details

The functions ECDSA is vulnerable to some sort of signature malleability because they accept compact EIP-
2098 signatures in addition to the traditional 65-byte signature format.
This is only an issue for the functions that take a single byte argument, and not the functions that take r, v, s or r, vs as
separate arguments

Potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used, rather than the signed message or a nonce included in it. A user can take a signature that has already been submitted, submit it again in a different form, and bypass this protection.

Impact

could cause loss of funds

Tools Used

Manual Review

Recommendations

It is suggested to update the version of the @openzeppelin/contracts package version to 4.7.3 to fix this finding

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!