Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

`_validateSignature` does not check if the sender matches the signature

Description

The _validateSignature function is used by the EntryPoint to determine if the signature sent by a user is valid. However, this function retrieves the signer but does not verify if this signer is the wallet owner. As a result, anyone could bypass the signature validation and send any operation to any wallet.

function _validateSignature(
PackedUserOperation calldata userOp,
bytes32 userOpHash
) internal pure returns (uint256 validationData) {
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
@> ECDSA.recover(hash, userOp.signature);
@> return SIG_VALIDATION_SUCCESS;
}

Risk

Likelyhood: High

  • Anyone can send any operation to the wallet.

Impact: High

  • Theft of funds

Recommended Mitigation

function _validateSignature(
PackedUserOperation calldata userOp,
bytes32 userOpHash
) internal pure returns (uint256 validationData) {
bytes32 hash = MessageHashUtils.toEthSignedMessageHash(userOpHash);
- ECDSA.recover(hash, userOp.signature);
+ if (owner != ECDSA.recover(hash, userOp.signature))
+ return SIG_VALIDATION_FAILED;
return SIG_VALIDATION_SUCCESS;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

ECDSA.recover should check against sender

`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.