Project

Summary

A critical vulnerability in the MembershipFactory contract that allows malicious relayers to replay meta-transactions, leading to unauthorized actions and potential financial losses for users. The vulnerability stems from a lack of nonce verification within the meta-transaction execution flow.

Vulnerability Details

The MembershipFactory contract utilizes a custom implementation of _msgSender() to handle meta-transactions. However, this implementation fails to incorporate nonce verification. As a result, a malicious relayer can intercept a valid, signed meta-transaction and resubmit it multiple times. Each time, the contract will process the transaction as if it were a new request from the original user, without detecting that it is a replay.

The vulnerable code resides within the executeMetaTransaction function, which relies on the flawed _msgSender() implementation. Although _msgSender() is an internal function, it becomes exploitable because it's called within the external executeMetaTransaction function. The relayer controls the input to executeMetaTransaction, including the signed meta-transaction data, allowing them to replay the same data repeatedly.

Impact

This vulnerability has several severe consequences:

• Financial Loss: Users can be charged multiple times for actions they intended to perform only once, such as joining a DAO, minting an NFT, or any other function exposed through a meta-transaction. This can lead to significant financial losses, especially if the replayed transactions involve transferring tokens or ETH.

• Unauthorized DAO Membership: The membership count of DAOs can be artificially inflated by replaying joinDAO transactions. This can disrupt governance processes and dilute the ownership of DAO members.

• Denial-of-Service (DoS): Replaying meta-transactions can cause excessive gas consumption on the blockchain network, potentially leading to a denial-of-service scenario where legitimate transactions are delayed or blocked.

• Arbitrary External Calls: The callExternalContract function is particularly vulnerable as it allows arbitrary external calls with user-provided data, which can be exploited to drain funds or cause other malicious actions if the target contracts have their own vulnerabilities.

Recommendations

To remediate this vulnerability, implement nonce verification within the meta-transaction handling mechanism:

1. Add a Nonce to the MetaTransaction Struct: Include a nonce field in the MetaTransaction struct in the NativeMetaTransaction contract.

2. Increment Nonce on Execution: Modify executeMetaTransaction in NativeMetaTransaction to increment the user's nonce after each successful meta-transaction execution. Store these nonces in a mapping.

3. Verify Nonce During Execution: In executeMetaTransaction, add a check to ensure that the nonce in the received MetaTransaction matches the expected nonce for the user. Reject the transaction if the nonces don't match.