Use of `ecrecover` leads to potential signature malleability
Summary
NativeMetaTransaction.verify() uses an antiquated signature verification method via direct ecrecover() leading to potential signature malleability during NativeMetaTransaction.executeMetaTransaction().
Vulnerability Details
A valid signature may correspond to more than one set of (S, R, V) combinations, which is bad. This can allow relayers who call NativeMetaTransaction.executeMetaTransaction() to pass in incorrect data that still recovers to the signer, and then execute the call with that incorrect data.
When a wallet generates an S value such that S > secp256k1n / 2, then the valid signature (R, S, V) has a mathematical equivalent signature (R, secp256k1n - S, V+1). Meaning, standard libraries and wallets can create signatures with S values in the upper half of the domain of curve points, making the signature have a malleable counterpart.
Impact
Replay attacks are possible during executeMetaTransaction(). This function is intended to be used to call any functions in inheriting contracts, OWPIdentity.sol and MembershipFactory.sol.
Tools Used
Manual Review
Recommendations
Use ECDSA.tryRecover() from OpenZeppelin instead of raw ecrecover. This checks that s <= secp256k1n/2 and normalizes V values.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.