Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Field Ordering in `_setDomainSeparator` Calculation Violates `EIP-712` Standard

0xshoonya

Summary

The _setDomainSeperator function in the code does not follow the EIP-712 standard field order when constructing the domainSeparator. This ordering mismatch will result in an invalid domainSeparator and cause signature verification failures.

Vulnerability Details

In the _setDomainSeperator function, domainSeparator is calculated as follows:

function _setDomainSeperator(string memory name, string memory version) internal {

domainSeperator = keccak256(

abi.encode(

EIP712_DOMAIN_TYPEHASH,

keccak256(bytes(name)),

keccak256(bytes(version)),

@> address(this),

@> bytes32(getChainId())

)

);

}

In this code, verifyingContract comes before chainId, which creates an ordering mismatch that results in a wrong domainSeparator.
This is incorrect and violates EIP-712. The correct order as per EIP-712 should be:

name (hashed)
version (hashed)
chainId (uint256)
verifyingContract (address)

According to EIP-712, the fields must appear in a specific order, with chainId preceding verifyingContract in the encoded structure.

The EIP712Domain fields should be the order as above, skipping any absent fields. Future field additions must be in alphabetical order and come after the above fields. User-agents should accept fields in any order as specified by the EIP712Domain type.

Impact

The domain separator does not match the EIP-712 field ordering requirements. By placing verifyingContract before chainId, the generated domain separator will be invalid for EIP-712 signature verification.

Tools Used

Manual Review

Recommendations

function _setDomainSeperator(string memory name, string memory version) internal {

domainSeperator = keccak256(

abi.encode(

EIP712_DOMAIN_TYPEHASH,

keccak256(bytes(name)),

keccak256(bytes(version)),

- address(this),

+ bytes32(getChainId())

- bytes32(getChainId())

+ address(this)

)

);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Appeal created

0xshoonya Submitter

9 months ago

0xbrivan2 Lead Judge

9 months ago

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.