President Elector

First Flight #24
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

[H-1] Wrong definition of the `TYPEHASH` leads to the vote with signatures functionality to be unusable

Description

In the protocol's docs, it states that a big part of the protocol's functionality is that voters can let others spend gas for they're votes by using signatures. The following function is in charge of doing so:

function rankCandidatesBySig(address[] memory orderedCandidates, bytes memory signature) external {
bytes32 structHash = keccak256(abi.encode(TYPEHASH, orderedCandidates));
bytes32 hash = _hashTypedDataV4(structHash);
address signer = ECDSA.recover(hash, signature); // @audit ?? maybe come back, couldnt find a problem. yeytttt
_rankCandidates(orderedCandidates, signer);
}

The function uses a variable called `TYPEHASH` that contains the function's signature and is encoded to create the hash eventually. However, in the `TYPEHASH` declaration the function's signature is wrong:

:\/
bytes32 public constant TYPEHASH = keccak256("rankCandidates(uint256[])");

The function takes an array of addresses not uint256!

Impact

In the `rankCandidatesBySig` function the `hash` will be encoded with the wrong input parameters for the function, which will revert every transaction made with the signatures. Which means that an important capability in the protocol will not work!

Proof of Concept

Here is a step by step of a situation of a voter trying to vote with some other user to pay the gas for them:

1. A voter will make an order list of they're candidates.

2. That voter will make a signature constructed with the function signature and the actual list they made.

3. The gas payer will now pass on the actual list and the signature.

4. The `rankCandidatesBySig` will create the hash using the wrong TYPEHASH.

5. The ECDSA contract will revert

Recommended Mitigation

Fix the TYPEHASH to the correct input parameters:

+ bytes32 public constant TYPEHASH = keccak256("rankCandidates(address[])");
- bytes32 public constant TYPEHASH = keccak256("rankCandidates(uint256[])");
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Typehash hashes the wrong function input.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.