Executing `executeMetaTransaction` with a user's signature but a random msg.value can cause an unexpected state changes
Summary
Attackers can manipulate the msg.value in meta-transactions, potentially causing unintended behavior or failed external calls within the contract. This is due to the executeMetaTransaction function not properly securing the msg.value parameter.
Vulnerability Details
In the NativeMetaTransaction contract, the executeMetaTransaction function allows execution of a function on behalf of a user:
Since msg.value is not included in the meta-transaction signature, an attacker can execute the transaction with the user's signature but a random msg.value, possibly causing the called function by callExternalContract in MembershipFactory to behave unexpectedly.
Impact
Manipulating msg.value can lead to unintended state changes, failed external calls, or even loss of funds if the contract logic depends on the amount of Ether sent with the transaction.
Tools Used
Manual review
Recommendations
Ensure that the msg.value is part of the meta-transaction data that is signed by the user. This prevents attackers from altering the value without invalidating the signature.
Lead Judging Commences
msg.value is not included in the message hash
Appeal created
msg.value is not included in the message hash
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.