Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect EIP-712 Domain Separator Implementation

m3dython

Root Cause:
The EIP712Base contract incorrectly defines the EIP-712 domain separator. Specifically, it uses a bytes32 salt instead of the standard uint256 chainId. The domain separator is constructed with:

bytes32 internal constant EIP712_DOMAIN_TYPEHASH = keccak256(
bytes("EIP712Domain(string name,string version,address verifyingContract,bytes32 salt)")
);

Instead of the standard:

bytes32 internal constant EIP712_DOMAIN_TYPEHASH = keccak256(
bytes("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)")
);

Furthermore, the domain separator is set using bytes32(getChainId()) as the salt, which doesn't align with the standard EIP-712 implementation.

Impact:
This incorrect implementation can allow attackers to forge signatures for meta-transactions. By exploiting this, an attacker can:

  • Bypass signature verification in the NativeMetaTransaction contract.

  • Execute functions protected by role-based access control (e.g., onlyRole(DEFAULT_ADMIN_ROLE)) by spoofing _msgSender().

  • Gain unauthorized access to privileged functions like updateDAOMembership and callExternalContract, leading to arbitrary code execution, manipulation of DAO configurations, or unauthorized fund transfers.

Recommendation:

  • Update the EIP712Domain struct and EIP712_DOMAIN_TYPEHASH to match the standard EIP-712 implementation.

  • Replace bytes32 salt with uint256 chainId in both the struct and the domain separator hash.

  • Recompute the domain separator with the correct parameters.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!