_validateSigner() cross-chain re-use signature risk

Summary

_validateSigner() not add chainId to signature have re-use signature risk if There is a need for subsequent deployment in other chains.

Vulnerability Detail

_validateSigner() without chainId

    function _validateSigner(
        uint256 timestamp,
        address asset,
        uint256 price,
        bytes memory signature
    ) internal view returns (bool) {
        bytes32 digest = ECDSA.toEthSignedMessageHash(
            keccak256(abi.encodePacked(timestamp, asset, price)) //***@audit without chainId***/
        );
        address recoveredSigner = ECDSA.recover(digest, signature);
        return recoveredSigner == publisher;
    }

Impact

cross-chain re-use signature risk

Code Snippet

https://github.com/sherlock-audit/2022-11-buffer/blob/main/contracts/contracts/core/BufferRouter.sol#L260-L271

Tool used

Manual Review

Recommendation

signature with chainid

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

160.md

160.md

_validateSigner() cross-chain re-use signature risk

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

160.md

Latest commit

History

160.md

File metadata and controls

_validateSigner() cross-chain re-use signature risk

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation