Steep Rose Rattlesnake
Medium
The VerifierBase.verifyCommon() method can be called by anyone and specifies common.account and common.nonce at will.
After method execution nonces[common.account][common.nonce] is set to true
This will cause subsequent signing of normal transactions to fail
The verifyCommon() method can be called by anyone and specifies any common.account and common.nonce.
This method will have nonces[common.account][common.nonce] set to true
This causes subsequent transactions that are normally signed, to fail to execute properly
No response
No response
- normal user submits any transaction that requires a signature
common.account = 0x123, common.nonce=1 - alice maliciously front run and executes
verifyCommon()- common.domain = alice
- common.signer = alice
- common.account = 0x123
- common.nonce=1
- after nonces[0x123][1]=true
- when execute step 1 transaction will fail with
VerifierInvalidNonceError
There are multiple uses of signatures in the current protocol, such as market.sol/Controller_Incentivized.sol/Manager.sol.
Some, such as cancelOrderWithSignature(), etc., are time-sensitive, and if they are DOS'd may result in an inability to cancel the order, which will result in a loss to the user
No response
Suggest VerifierBase to add whitelisting mechanism to control common.domain only in whitelisting
modifier validateAndCancel(Common calldata common, bytes calldata signature) {
+ if(!isWhitelist(common.domain)) revert VerifierInvalidDomainError();
if (common.domain != msg.sender) revert VerifierInvalidDomainError();
if (signature.length != 65) revert VerifierInvalidSignatureError();
if (nonces[common.account][common.nonce]) revert VerifierInvalidNonceError();
if (groups[common.account][common.group]) revert VerifierInvalidGroupError();
if (block.timestamp >= common.expiry) revert VerifierInvalidExpiryError();
_cancelNonce(common.account, common.nonce);
_;
}