Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Signature malleability of EVM's `ecrecover` in `verify()`

xmanuel

Summary

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L98

Vulnerability Details

EVM's ecrecover is susceptible to signature malleability which allows replay attacks, but that is mitigated on this function, `hashMetaTransaction` by ensuring that each transaction has a unique hash based on its specific contents and verifies that the meta-transaction matches the original signed data. However, if any of the application logic changes, it might make signature malleability a risk for replay attacks.

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L98

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L70C14-L70C33

See reference: https://swcregistry.io/docs/SWC-117

Impact

Unauthorized Transaction Replays and Cross-Chain Exploits

Tools Used

Manual Analysis

Recommendations

Consider using OpenZeppelin’s ECDSA library: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.