Signature malleability in permit() and permitPositionManagerApproval()
#94
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
insufficient quality report
This report is not of sufficient quality
primary issue
Highest quality submission among a set of duplicates
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/EBTCToken.sol#L199-L221
https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/BorrowerOperations.sol#L706
Vulnerability details
Impact
Both
permit()
andpermitPositionManagerApproval()
are vulnerable to signature malleability, which allows replay attacks.During the previous Code4rena contest, the similar attack vector has been evaluated as Medium/High
Based on that, I've decided to evaluate the risk of this issue as Medium. It's worth to note, that in most of the previous Code4rena contests, the signature malleability vulnerabilities had been detected during the bot race, so there weren't reported as a separate issue. Thus, there aren't many contests which could be used as a reference for proper severity categorization. In the current contest - the bot race did not report signature malleability issue, so I'm reporting it as a separate issue in this report.
Proof of Concept
BorrowerOperations.sol
, there is a functionpermitPositionManagerApproval()
which sets given _approval for specified _borrower and _positionManagerFIle: BorrowerOperations
In
EBTCToken.sol
, there's a functionpermit()
, which approves given amount for specified owner and spender.File: EBTCToken.sol
In both cases, there's no verification of
v
,r
,s
parameters.Tools Used
Manual code review
Recommended Mitigation Steps
Consider using OpenZeppelin's ECDSA library:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: