Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Signature Expiry Enables Perpetual Transaction Validity.

unu5464

Summary

The protocol’s signature mechanism lacks an expiration, resulting in signatures that are valid indefinitely.
This oversight could allow a signed transaction to be executed at any future time, potentially exposing the signer to unintended
actions and security risks. Since the protocol currently requires the signer to execute a new transaction to invalidate the old
signature.

Vulnerability Details

Once a user signs a transaction, that signature remains valid indefinitely. Any party in possession of the signature could execute it at any time,
until signer sign and execute another message but with deadline the singer will decide when the signature is not valid.

The executeMetaTransaction uses nonce but this is not efficient because the nonce doesn't put deadline and signature can be execute any time.

Impact

Without an deadline, users lack control over how long their signed transactions remain valid, leaving them vulnerable to unexpected future transactions.

Recommendations

- function executeMetaTransaction(address userAddress, bytes memory functionSignature, bytes32 sigR, bytes32 sigS, uint8 sigV) public payable returns(bytes memory) {
+ function executeMetaTransaction(address userAddress, bytes memory functionSignature, uint40 deadline, bytes32 sigR, bytes32 sigS, uint8 sigV) public payable returns(bytes memory) {
+ require(block.timestamp <= deadline, "Signature Not Valid");
MetaTransaction memory metaTx = MetaTransaction({
nonce: nonces[userAddress],
+ deadline: deadline,
from: userAddress,
functionSignature: functionSignature
});
//...
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge
8 months ago
0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing deadline in meta transactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.