The MondrianWallet::_validateSignature
function fails to validate that the address recovered from ECDSA.recover
matches the expected sender. This vulnerability can lead to unauthorized operations in the wallet contract.
The MondrianWallet::_validateSignature
function, responsible for validating the signature in the user operation, retrieves an address from the signature using ECDSA.recover. However, it does not compare the recovered address with a known or expected address (such as userOp.sender
). This oversight allows an attacker to use a valid signature from another context to execute unauthorized operations.
If an attacker obtains a valid signature, they could exploit this vulnerability to perform unauthorized actions on behalf of another user or wallet. This opens the door to signature replay attacks or unauthorized use, potentially resulting in financial loss or other malicious activities.
Place the following into MondrianWallet.test.js
.
Manual review, hardhat
To fix this vulnerability, ensure the _validateSignature function validates that the recovered address matches the expected sender:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.