Summary

The protocol uses a vulnerable version of open zeppelin ECDSA library which is vulnerable to signature re-use.

Vulnerability Details

The ERC20Permit.sol contract uses ECDSA library's recover function to ensure the authenticity of the signature.

however, the used version of open zeppelin contracts 4.6.0 is depicted in the comments of the ERC20Permit contract.

// OpenZeppelin Contracts (last updated v4.6.0) (token/ERC20/extensions/draft-ERC20Permit.sol)

According to the official report by oppenzeppelin on August 22nd ,2022 ,

The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to
some sort of signature malleability because they accept compact EIP-
2098 signatures in addition to the traditional 65-byte signature
format.

A user can take a signature that has already been submitted, submit it again in a different form, and bypass this protection.
following versions are vulnerable to this issue

= 4.1.0 < 4.7.3

and the protocol uses 4.6.0.

it was observed that ERC20Permit.sol is susceptible to this vulnerability.

Impact

As stated by Openzeppelin

A user can take a signature that has already been submitted, submit it again in a different form, and bypass this protection.

Reference

Halborn marked this kind of issue as high in Biconomy audit 3.1 (HAL-01) VULNERABLE ECDSA LIBRARY - HIGH And it's also high in this case maybe even critical because user funds are involved.

Tools Used

Manual review

Recommendations

Use open zeppelin versions >=4.7.0 because the vulnerability was patched in those versions.