Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Input Validations in `_setDomainSeperator` in `EIP712BBase.sol`

kkk

Summary

The _SetDomainSeparator does not validate the name and version parameters. which can lead to the creation of incorrect or non-unique domain separators.

Vulnerability Details

EIP712BBase.sol::_setDomainSeperator

function _setDomainSeperator(string memory name, string memory version) internal {
domainSeperator = keccak256(
abi.encode(
EIP712_DOMAIN_TYPEHASH,
keccak256(bytes(name)),
keccak256(bytes(version)),
address(this),
bytes32(getChainId())
)
);
}

Description:

If empty strings are passed as name or version, the resulting domain separator may not be unique. This undermines the security guarantees provided by the EIP-712 standard, potentially allowing for signature collisions or replay attacks

Impact

Domain Collisions: Non-unique domain separator can lead to signature reuse across different domains.

Security risks: Increases the risk of replay and signature forgery.

Tools Used

Manual code review

Recommendations

function _setDomainSeperator(string memory name, string memory version) internal {
++ require(bytes(name).length > 0, "Name cannot be empty");
++ require(bytes(version).length > 0, "Version cannot be empty");
domainSeperator = keccak256(
abi.encode(
EIP712_DOMAIN_TYPEHASH,
keccak256(bytes(name)),
keccak256(bytes(version)),
address(this),
bytes32(getChainId())
)
);
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!