First Flight #15: Mondrian Wallet
First Flight #15
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`_validateSignature` always return `SIG_VALIDATION_SUCCESS`, causing invalid signatures to be accepted

wetzo

Summary

The _validateSignature function is recovering the signature but does not check if it is correct, causing all signatures to be accepted.

Vulnerability Details

The signature check if supposed to check that the owner authorized the operation to be executed on its behalf. If any given signature is accepted, a malicious user can forge an operation and submit it for execution without the owner consent, potentially resulting in fund losses for the owner.

Impact

Anybody can execute transactions without the owner's signature.

Tools Used

Manual review

Recommendations

Use the return value of the recover function to return the correct validationDatavalue.

function _validateSignature(PackedUserOperation calldata userOp, bytes32 userOpHash)
internal
pure
returns (uint256 validationData)
{
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
- ECDSA.recover(hash, userOp.signature);
+ address signer = ECDSA.recover(hash, userOp.signature);
+ if(signer == owner())
return SIG_VALIDATION_SUCCESS;
+ return SIG_VALIDATION_FAILED;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

ECDSA.recover should check against sender

`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.