You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unauthorized Nonce Cancellation in VerifierBase Contract
Summary
A critical security vulnerability has been identified in the VerifierBase contract, specifically within the nonce cancellation logic. The flaw allows an attacker to cancel nonces belonging to other users without authorization, potentially leading to Denial-of-Service (DoS) attacks or other security breaches.
Vulnerability Detail
The VerifierBase contract lacks proper validation to ensure that only the account owner can cancel their own nonces. Specifically, the validateAndCancel modifier does not verify that common.account is equal to common.signer. This omission allows an attacker to cancel nonces for any account by providing a valid signature from their own account.
1. Preparation:
The attacker constructs a Common struct where:
• common.account is set to the victim’s address.
• common.signer is set to the attacker’s own address.
• Other fields (nonce, group, expiry) are filled as needed.
2. Signature Generation:
• The attacker signs the Common struct with their own private key.
3. Nonce Cancellation:
• The attacker calls the cancelNonceWithSignature function, passing the crafted Common struct and the signature.
4. Result:
• Due to the lack of proper validation, the contract accepts the signature (since it matches common.signer).
• The nonce for common.account (the victim) is canceled without the victim’s consent.
Impact
Denial-of-Service (DoS): Attackers can repeatedly cancel nonces for target accounts, preventing them from executing legitimate transactions that depend on those nonces.
Security Breach: Compromised nonce management could lead to further vulnerabilities, including replay attacks if nonce-dependent mechanisms are not reliable.
/// @dev Validates the common data of a message
modifier validateAndCancel(Common calldata common, bytes calldata signature) {
if (common.domain != msg.sender) revert VerifierInvalidDomainError();
if (signature.length != 65) revert VerifierInvalidSignatureError();
if (nonces[common.account][common.nonce]) revert VerifierInvalidNonceError();
if (groups[common.account][common.group]) revert VerifierInvalidGroupError();
if (block.timestamp >= common.expiry) revert VerifierInvalidExpiryError();
_cancelNonce(common.account, common.nonce);
_;
}
modifier validateAndCancel(Common calldata common, bytes calldata signature) {
if (common.domain != msg.sender) revert VerifierInvalidDomainError();
if (signature.length != 65) revert VerifierInvalidSignatureError();
if (nonces[common.account][common.nonce]) revert VerifierInvalidNonceError();
if (groups[common.account][common.group]) revert VerifierInvalidGroupError();
if (block.timestamp >= common.expiry) revert VerifierInvalidExpiryError();
// Added validation to ensure only the account owner can cancel their nonce
if (common.account != common.signer) revert VerifierInvalidSignerError();
_cancelNonce(common.account, common.nonce);
_;
}
The text was updated successfully, but these errors were encountered:
sherlock-admin3
changed the title
Winning Lead Ape - Unauthorized Nonce Cancellation in VerifierBase Contract
Albort - Unauthorized Nonce Cancellation in VerifierBase Contract
Sep 23, 2024
Albort
High
Unauthorized Nonce Cancellation in VerifierBase Contract
Summary
A critical security vulnerability has been identified in the VerifierBase contract, specifically within the nonce cancellation logic. The flaw allows an attacker to cancel nonces belonging to other users without authorization, potentially leading to Denial-of-Service (DoS) attacks or other security breaches.
Vulnerability Detail
The VerifierBase contract lacks proper validation to ensure that only the account owner can cancel their own nonces. Specifically, the validateAndCancel modifier does not verify that common.account is equal to common.signer. This omission allows an attacker to cancel nonces for any account by providing a valid signature from their own account.
Impact
Denial-of-Service (DoS): Attackers can repeatedly cancel nonces for target accounts, preventing them from executing legitimate transactions that depend on those nonces.
Security Breach: Compromised nonce management could lead to further vulnerabilities, including replay attacks if nonce-dependent mechanisms are not reliable.
Code Snippet
abstract contract VerifierBase is IVerifierBase, EIP712 {
// ... [other code]
}
https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/root/contracts/verifier/VerifierBase.sol#L76
Tool used
Manual Review
Recommendation
modifier validateAndCancel(Common calldata common, bytes calldata signature) {
if (common.domain != msg.sender) revert VerifierInvalidDomainError();
if (signature.length != 65) revert VerifierInvalidSignatureError();
if (nonces[common.account][common.nonce]) revert VerifierInvalidNonceError();
if (groups[common.account][common.group]) revert VerifierInvalidGroupError();
if (block.timestamp >= common.expiry) revert VerifierInvalidExpiryError();
}
The text was updated successfully, but these errors were encountered: