ECDSA.sol version used is subject to signature malleability. #17
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-363
edited-by-warden
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/core/StrategyManager.sol#L293
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/core/DelegationManager.sol#L94
Vulnerability details
Impact
Depositing and Delegating via a signature is subject to signature malleablility due to use of an old version of ECDSA.sol library that supports compact signatures. This could lead to malleable signatures being used to deposit funds into strategies that a user does not want to deposit into, as well as the possibility of an malleable signature being used to delegate shares to an unintended operator.
Proof of Concept
Pull request for open zeppelin library detailing vuln and fix.
OpenZeppelin/openzeppelin-contracts#3610
Tools Used
Recommended Mitigation Steps
update to latest ECDSA.sol version.
Assessed type
Library
The text was updated successfully, but these errors were encountered: