Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`Nexus::_eip712Hash` function doesn't create replay safe hash due to lack of nonce. And indefinite time sig. valid due to no expiry time inclusion.

0x11singh99

Vulnerability Details

Since _MESSAGE_TYPEHASH is the hash of struct BiconomyNexusMessage(bytes32 hash) which doesn't have any nonce and expiry time parameter. Neither _domainSeparator has any nonce parameter. And no nonces mapping is maintained inside contract for signer. So without nonce the signature can be easily replayed.
Without expiry time sig. can be valid for indefinitely.

55: bytes32 private constant _MESSAGE_TYPEHASH = keccak256("BiconomyNexusMessage(bytes32 hash)");
367: function _eip712Hash(bytes32 hash) internal view virtual returns (bytes32) {
368: return keccak256(abi.encodePacked("\x19\x01", _domainSeparator(), keccak256(abi.encode(_MESSAGE_TYPEHASH, hash))));//@audit no nonce and expiry included as params inside struct whose this typehash is.
369: }

https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts/Nexus.sol#L367C4-L369C6

Impact

Signature can be replayed or can be used for time.

Tools Used

Manual Review

Recommendation

Add nonce and expiry time parameters in hashStruct.

Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0x11singh99 Submitter
11 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.