Signature replay attack
Summary
The code contains a vulnerability related to a signature replay attack in the sendToL1 function. The vulnerability allows an attacker to replay valid signatures and execute unauthorized transactions
Vulnerability Details
The vulnerability arise because there is nothing to prevent the same signature of being used multiple times. Indeed, the owner could have signed a transaction. However, the associated transaction would be publicly readable on the blockchain. This way, an attacker could copy the signature, submit multiple identical transactions and end up draining contract funds.
Impact
The impact of this vulnerability is severe. An attacker can repeatedly execute transactions on behalf of an authorized signer, leading to financial losses and potential disruption of the intended functionality of the system
Tools Used
Manual
Recommendations
Implement a mechanism to verify the uniqueness of nonces associated with each transaction. This prevents the replay of valid signatures by ensuring that each transaction is processed only once
Lead Judging Commences
withdrawTokensToL1()/sendToL1(): signature replay
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.