Missing `deadline` parameter in structHash creation, makes signature to be used forever
Vulnerability Details
In SettlementBranch::fillOffchainOrders function structHash is created using EIP712 standard to create a message Hash to be signed.
But here in the struct Hash creation crucial parameter deadline is missing ie. the message Hash will be generated without the deadline parameter which makes the signature generated from signing it to be used forever.
SettlementBranch.sol#L240-L251
Signatures signed by users should always have an expiration or timestamp deadline, such that after that time the signature is no longer valid. If there is no signature expiration, a user by signing a message is effectively granting a "lifetime license".
Signature implementations should always include an expiration timestamp and aim to conform to EIP-712.
Similar finding related to deadline missing
Impact
Without signature expiration, a user by signing a message is effectively granting a "lifetime license".
Tools Used
Manual Review
Recommendation
Add a deadline parameter also in the above structHash and encode it with other parameters also add that in CREATE_OFFCHAIN_ORDER_TYPEHASH. After that create to message Hash to be signed.
And add a check to verify that deadline has not been passed ,if passed then revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.