Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Cross-Chain Replay Protection in Meta-Transactions

0xbeastboy

Summary

The NativeMetaTransaction contract's implementation of EIP-712 domain separation omits critical parameters (chainId and verifyingContract) from its domain separator, leaving meta-transactions vulnerable to cross-chain and cross-contract replay attacks.

Vulnerability Details

Current Implementation:

constructor() EIP712Base('OWP','1'){}

The constructor only passes name and version, omitting chainId and verifyingContract which are crucial for replay protection.

The implementation initializes EIP-712 with minimal domain separator parameters, excluding key fields that provide additional security guarantees. The domain separator is essential for preventing signature replay attacks across different contexts, but its current implementation lacks sufficient context binding.

Impact

Meta-transaction signatures can be replayed across different blockchain networks i.e a signature created on mainnet could be reused on testnets or other EVM chains. Signatures can be reused across different deployments of the same contract which could affect multiple instances of the protocol across the same chain.

Tools Used

Manual Review

Recommendations

Include these fields too:

contract NativeMetaTransaction is EIP712Base {

constructor() EIP712Base(

'OWP', // name

'1', // version

block.chainid, // chainId

address(this) // verifyingContract

) {}

}

Base Contract Modification:

contract EIP712Base {

constructor(

string memory name,

string memory version,

uint256 chainId,

address verifyingContract

) {

domainSeparator = keccak256(

abi.encode(

EIP712_DOMAIN_TYPEHASH,

keccak256(bytes(name)),

keccak256(bytes(version)),

chainId,

verifyingContract

)

);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.