Submission Details
Severity:
`_validateSignature`doesn't validate the signature and always returns SIG_VALIDATION_SUCCESS
Summary
_validateSignature should only return SIG_VALIDATION_SUCCESS if the address returned from ECDSA.recover(hash, userOp.signature); matches the owner() address. If it doesn't, it should return SIG_VALIDATION_FAILED
Vulnerability Details
In MondrianWallet.sol, the issue exists in the line specified by "@>" below:
function _validateSignature(PackedUserOperation calldata userOp, bytes32 userOpHash)
internal
pure
returns (uint256 validationData)
{
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
@> ECDSA.recover(hash, userOp.signature);
return SIG_VALIDATION_SUCCESS;
}
ECDSA.recover(hash, userOp.signature); returns an address, but that address isn't checked to ensure it matches owner().
Impact
_validateSignature will always return SIG_VALIDATION_SUCCESS, even when the signature is invalid.
Tools Used
Manual review.
Recommendations
Update the function to the following:
function _validateSignature(PackedUserOperation calldata userOp, bytes32 userOpHash)
internal override virtual returns (uint256 validationData) {
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
if (owner() != ECDSA.recover(hash, userOp.signature))
return SIG_VALIDATION_FAILED;
return SIG_VALIDATION_SUCCESS;
}
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
ECDSA.recover should check against sender
`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.
Rewards breakdown
nSLOC
89This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.