First Flight #19: Mondrian Wallet v2
First Flight #19
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Use `SignatureChecker` Over `ECDSA` for Signature Validation

4rdiii

Description:
The zkSync era documentation suggests using SignatureChecker instead of ECDSA for signature validation. This advice is grounded in the distinction between ECDSA signatures and contract signatures. Unlike ECDSA signatures, contract signatures are revocable, meaning their validity can change over time. For instance, a signature might be considered valid at block N but invalid at block N+1, or vice versa.

Impact:
Accounts may utilize different signature schemes, making ECDSA.recover ineffective for accurate signature validation. This limitation could result in failed validations and potential security risks.

Recommended Mitigation:
To mitigate this issue, incorporate a isValidSignature function into your smart contract. This function should utilize SignatureChecker from the OpenZeppelin contracts library, shifting away from the conventional use of ECDSA.recover.
Here's an illustrative implementation:

+ import { SignatureChecker } from "@openzeppelin/contracts/utils/cryptography/SignatureChecker.sol";
.
.
.
+ function isValidSignature(
+ address _address,
+ bytes32 _hash,
+ bytes memory _signature
+ ) public pure returns (bool) {
+ return _address.isValidSignatureNow(_hash, _signature);
+ }
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Non-standart signing methods

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.