Some signatures are not supported #307
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-194
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/53c8c3823175aeb26dee5529eeefa81240a406ba/scw-contracts/contracts/smart-contract-wallet/paymasters/verifying/singleton/VerifyingSingletonPaymaster.sol#L107-L108
Vulnerability details
Impact
The
VerifyingSingletonPaymaster
intends to support compact signatures . This is known due to the line below :-This contract is using Openzeppelin ECDSA library for verifying the signatures.
Since, this PR , openzeppelin has stopped support for compact signatures for some functions in its library .
Since 4.7.3
Breaking changes
ECDSA
:recover(bytes32,bytes)
andtryRecover(bytes32,bytes)
no longer accept compact signatures to prevent malleability. Compact signature support remains available usingrecover(bytes32,bytes32,bytes32)
andtryRecover(bytes32,bytes32,bytes32)
.VerifyingSingletonPaymaster
usesrecover(bytes32,bytes)
for both 64 length and 65 length signatures.Hence all 64 length signatures will fail , even though the protocol wants to support them .
Proof of Concept
OpenZeppelin/openzeppelin-contracts#3610
Tools Used
Manual
Recommended Mitigation Steps
Use
recover(bytes32,bytes32,bytes32)
ortryRecover(bytes32,bytes32,bytes32)
if you want to support both 64 and 65 length signatures. Also, use nonce if you want to prevent signature malleability .The text was updated successfully, but these errors were encountered: