The Nexus.sol
smart contract is vulnerable to a replay attack. This attack allows an attacker to reuse previously signed transactions, enabling unauthorized and repetitive execution of the same transaction.
The Nexus
protocol relies on signatures to verify the authenticity and integrity of transactions. However, it lacks mechanisms to prevent the reuse of these signatures in subsequent transactions, making it susceptible to replay attacks. The protocol relies on Solady's SignatureCheckerLib
to verify that the signature provided is valid.
The Solady's SignatureCheckerLib
warns that the library does not check if a signature is non-malleable.
Here is the contracts/Nexus.sol::isValidSignature()
function:
which in turn calls contracts/modules/validators/K1Validator.sol::isValidSignatureWithSender()
and contracts/modules/validators/K1Validator.sol::validateUserOp()
:
This one uses SignatureCheckerLib
to verify the signature, but as this implementation does not check if a signature is non-malleable, and there are no mechanisms or checks to prevent a sig reply, it makes the contract vulnerable to replay attacks.
When a signature is malleable, it means that it is possible to produce another valid signature for the same message (which also means the same digest). Replayed transactions can trigger contract functions unintentionally, causing disruptions and potential financial loss and undermining the trust in the security and integrity of the Nexus
system, potentially deterring users from adopting the platform.
Manual review.
Implement checks to ensure that the s
value in the (r, s, v)
signature is in the lower half order. This can prevent signature malleability.
Valid medium, although all issues lack a little detail on some form of protocol specific impact here. See similar reference finding [here](https://github.com/sherlock-audit/2024-04-titles-judging/issues/279)
Valid medium, although all issues lack a little detail on some form of protocol specific impact here. See similar reference finding [here](https://github.com/sherlock-audit/2024-04-titles-judging/issues/279)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.