Submission Details
Severity:
`MondrianWallet.sol::_validateSignature` does not correctly validate the owners signature
Summary
MondrianWallet.sol::_validateSignature does not correctly validate the owners signature
Vulnerability Details
The MondrianWallet.sol::_validateSignature function does not correctly validate that the owner is the one who signed the incoming userOp.
function _validateSignature(PackedUserOperation calldata userOp, bytes32 userOpHash)
internal
pure
returns (uint256 validationData)
{
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
@> ECDSA.recover(hash, userOp.signature);
return SIG_VALIDATION_SUCCESS;
}
Impact
Anyone can sign a message using their signature and it will return with SIG_VALIDATION_SUCCESS. This validation should only succeed if it is the owner who signed the message. Otherwise is should return with SIG_VALIDATION_FAILED.
Tools Used
--Foundry/Hardhat
Recommendations
Add a check to make sure the userOp signature is the owners.
function _validateSignature(PackedUserOperation calldata userOp, bytes32 userOpHash)
internal
pure
returns (uint256 validationData)
{
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
- ECDSA.recover(hash, userOp.signature);
+ if (owner != ECDSA.recover(hash, userOp.signature))
+ return SIG_VALIDATION_FAILED;
return SIG_VALIDATION_SUCCESS;
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
ECDSA.recover should check against sender
`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.
Rewards breakdown
nSLOC
89This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.