Incorrect implementation of eip712base
Summary
Incorrect implementation of eip712base
Vulnerability Details
contract EIP712Base {
struct EIP712Domain {
string name;
string version;
address verifyingContract;
bytes32 salt;
}
There is an issue in the Domain Separator Construction:
-
The code above uses
bytes32(getChainId())as the salt, which is incorrect. The salt should be a separate parameter, and chainId should be included as its own field in the EIP712Domain struct. -
The current implementation mixes up the salt and chainId, which goes against the EIP-712 specification.
-
The constructor doesn't take a salt parameter, which it should since it's part of the domain struct
-
Missing validation for empty string parameters (name and version)
-
The current EIP712Domain struct is missing the
chainIdfield which is required by the standard -
The salt parameter should be passed in the constructor rather than using chainId as salt
Impact
Incorrect implementation leads to errors
Tools Used
Manual Review
Recommendations
struct EIP712Domain { string name; string version; uint256 chainId; address verifyingContract; bytes32 salt; }
bytes32 internal constant EIP712_DOMAIN_TYPEHASH = keccak256( bytes( "EIP712Domain(string name,string version,uint256 chainId,address verifyingContract,bytes32 salt)" ) );
bytes32 internal domainSeparator;
constructor( string memory name, string memory version, bytes32 salt ) { require(bytes(name).length > 0, "EIP712: name cannot be empty"); require(bytes(version).length > 0, "EIP712: version cannot be empty"); _setDomainSeparator(name, version, salt); }
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.