Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Poor domainSeparator uniqueness.

timenov

Summary

The NativeMetaTransaction contract design includes a common EIP712 domain name, version, and chain ID across multiple deployed contracts. The domain name is always OWP and the version is 1. Having in mind that the contracts will only be deployed to Polygon(same chain ID) and that 2 contracts are inheriting NativeMetaTransaction this will cause poor domainSeparator uniqueness.

Vulnerability Details

The domainSeparator is formed from the EIP712_DOMAIN_TYPEHASH, name, version, address(this) and chainId:

function _setDomainSeperator(string memory name, string memory version) internal {
domainSeperator = keccak256(
abi.encode(
EIP712_DOMAIN_TYPEHASH, // same for the 2 contracts
keccak256(bytes(name)), // always OWP
keccak256(bytes(version)), // always 1
address(this),
bytes32(getChainId()) // same for the 2 contracts
)
);
}

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/meta-transaction/EIP712Base.sol#L28-L38

This means that domainSeparator for the 2 contracts that are MembershipFactory and OWPIdentity will only differentiate on their address.

Impact

Having identical domain separator, aside from address(this) can increase the chance of signature collisions, verification confusion for external tools and can cause users to sign for the other contract.

Tools Used

Manual Review

Recommendations

Use unique names for the contracts, for example: OWP-Factory and OWP-Identity. Optionally use different version as well.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

timenov Submitter
7 months ago
0xbrivan2 Lead Judge
7 months ago
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.