Submission Details
Severity:
`_validateSignature` does not check if the sender matches the signature
Description
The _validateSignature function is used by the EntryPoint to determine if the signature sent by a user is valid. However, this function retrieves the signer but does not verify if this signer is the wallet owner. As a result, anyone could bypass the signature validation and send any operation to any wallet.
function _validateSignature(
PackedUserOperation calldata userOp,
bytes32 userOpHash
) internal pure returns (uint256 validationData) {
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
@> ECDSA.recover(hash, userOp.signature);
@> return SIG_VALIDATION_SUCCESS;
}
Risk
Likelyhood: High
Anyone can send any operation to the wallet.
Impact: High
Theft of funds
Recommended Mitigation
function _validateSignature(
PackedUserOperation calldata userOp,
bytes32 userOpHash
) internal pure returns (uint256 validationData) {
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
- ECDSA.recover(hash, userOp.signature);
+ if (owner != ECDSA.recover(hash, userOp.signature))
+ return SIG_VALIDATION_FAILED;
return SIG_VALIDATION_SUCCESS;
}
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
ECDSA.recover should check against sender
`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.
Rewards breakdown
nSLOC
89This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.