Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Signature Malleability Could Allow Attackers to Replay Meta-Transactions Multiple Times

hunter_w3b

Summary

The NativeMetaTransaction contract is vulnerable to signature malleability, where an attacker can modify the sigS value of a valid signature without invalidating it. This allows the attacker to bypass nonce checks and replay the same transaction multiple times, potentially leading to unauthorized re-execution of transactions.

Vulnerability Details

The verify function in NativeMetaTransaction does not verify whether the sigS component of the signature is in the lower half of the secp256k1 curve. In elliptic curve cryptography, each valid signature has two possible representations for the s value, one in the lower half and one in the upper half of the curve. Failing to restrict sigS to the lower half allows an attacker to modify the signature while keeping it valid. This opens the protocol to signature malleability, where the altered signature is considered different from the original, even though it represents the same transaction.

function verify(

address signer,

MetaTransaction memory metaTx,

bytes32 sigR,

bytes32 sigS,

uint8 sigV

) internal view returns (bool) {

require(signer != address(0), "NativeMetaTransaction: INVALID_SIGNER");

return

signer ==

ecrecover(

toTypedMessageHash(hashMetaTransaction(metaTx)),

sigV,

sigR,

sigS

);

}

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/meta-transaction/NativeMetaTransaction.sol#L90-L106

The attacker observes a valid meta-transaction with a signature (r, s, v).
They modify the sigS value, flipping it to its counterpart in the upper half of the curve.
The attacker submits this modified signature, which the contract treats as a new, valid signature.
The contract re-executes the meta-transaction, bypassing the nonce check and allowing the attacker to replay the same transaction.

Impact

Critical — Signature malleability could allow attackers to:

Replay transactions: Malicious actors could re-execute the same transaction multiple times, causing unintended and unauthorized outcomes, such as repeated fund transfers or contract calls.
Bypass nonce mechanisms: The nonce system, meant to prevent replay attacks, is rendered ineffective, as each modified signature is treated as unique.

Tools Used

Manual Reivew

Recommendations

To prevent signature malleability, the verify function should be updated to include a check that ensures the sigS value is in the lower half of the secp256k1 curve. This is a standard practice in Ethereum to avoid malleability exploits.

Here’s the required fix:

require(uint256(sigS) <= 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, "Invalid signature 's' value");

This check guarantees that only signatures with s values in the lower half of the curve are accepted, preventing attackers from submitting modified signatures and protecting the contract from replay attacks.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.