Meta-Transaction Signature Malleability Breaks Replay Protection
Summary
The protocol's meta-transaction implementation contains a critical vulnerability where signature malleability can be exploited to bypass nonce-based replay protection. The verify function in NativeMetaTransaction.sol accepts multiple variants of mathematically equivalent signatures, which allows an attacker to execute the same transaction multiple times by manipulating the signature values. While a basic ecrecover malleability was previously reported, this finding demonstrates how it specifically breaks the protocol's replay protection mechanism.
Vulnerability Details
In NativeMetaTransaction.sol: https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L33
Impact
Replay protection fails
Multiple executions possible
State inconsistencies
Financial:
Double fee payments
Duplicate operations
Fund loss potential
Tools Used
Manual Review
Recommendations
Implement full signature validation
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.