Skip to content

Latest commit

 

History

History
89 lines (68 loc) · 3.14 KB

047.md

File metadata and controls

89 lines (68 loc) · 3.14 KB
Raw

Dandy Caramel Tortoise

Medium

Attacker can DOS the by delegation methods of the market registry contract by directly passing the signature to Verifier contract

Summary

Attacker can DOS the by delegation methods of the market registry contract by directly passing the signature to Verifier contract

Root Cause

The MarketRegistry contract exposes attestaion/revocation methods based on delegation ie. signatures. These signatures are then passed on to the TellerASEIP712Verifier contract for verification

    function _attestStakeholderViaDelegation(
        uint256 _marketId,
        address _stakeholderAddress,
        uint256 _expirationTime,
        bool _isLender,
        uint8 _v,
        bytes32 _r,
        bytes32 _s
    )
        internal

But the Verifier contract allows anybody to call it and increments the nonce if a valid signature is passed. This allows a user to pass the delegation signature directly to the verifier contract which will increment the nonce of the signer hence reverting when the actual call from the MarketRegistry happens

    function attest(
        address recipient,
        bytes32 schema,
        uint256 expirationTime,
        bytes32 refUUID,
        bytes calldata data,
        address attester,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external override {
        bytes32 digest = keccak256(
            abi.encodePacked(
                "\x19\x01",
                DOMAIN_SEPARATOR,
                keccak256(
                    abi.encode(
                        ATTEST_TYPEHASH,
                        recipient,
                        schema,
                        expirationTime,
                        refUUID,
                        keccak256(data),
                        _nonces[attester]++
                    )
                )
            )
        );

        address recoveredAddress = ecrecover(digest, v, r, s);
        if (recoveredAddress == address(0) || recoveredAddress != attester) {
            revert InvalidSignature();
        }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. MarketRegistry admin decides to attest a user by delegation
  2. Attacker frontruns this tx and submits the signature to the Verifier contract direclty
  3. The call from MarketRegistry reverts because the nonce has already been increased and the signature wouldn't match

Impact

Attacker can DOS the byDelegation methods of attestation and revocation (currently revoking doesn't pass on the call to TellerAS contract but ideally it would)

PoC

No response

Mitigation

Maintain an internal verification mechanism rather than doing it in an external contract or enforce access control