Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 M-01 - Prevent Replay Attacks by Enforcing Signature Malleability Check #119

Closed
wants to merge 3 commits into from
Closed

🔒 M-01 - Prevent Replay Attacks by Enforcing Signature Malleability Check #119

wants to merge 3 commits into from

Conversation

Aboudjem
Copy link
Contributor

M-01. Potential Replay Attack Vulnerability in Signature Verification Logic

  • Issue: Signature malleability due to lack of checks on the s value.
  • Affected Functions: Signature verification logic.
  • Fix: Add check to ensure s value is greater than 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0.

@Aboudjem Aboudjem self-assigned this Jul 31, 2024
@github-actions GitHub Actions
Copy link

🤖 Slither Analysis Report 🔎

Slither report

# Slither report

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results.
Summary

constable-states

Impact: Optimization
🔴 Confidence: High

base/RegistryAdapter.sol#L12

factory/RegistryFactory.sol#L39

_This comment was automatically generated by the GitHub Actions workflow._

@Aboudjem Aboudjem changed the title Fix/security m01 🔒 M-01 - Prevent Replay Attacks by Enforcing Signature Malleability Check Jul 31, 2024
Base automatically changed from fix/security-h03 to fix/security-h02 August 5, 2024 15:14
Base automatically changed from fix/security-h02 to fix/security-h01 August 5, 2024 15:39
Base automatically changed from fix/security-h01 to remediations/cyfrin August 5, 2024 15:40
@livingrockrises
Copy link
Contributor

Hang on.. in any case we should probably use oz ECDSA library directly instead of making s checks in our code.

@livingrockrises livingrockrises marked this pull request as draft August 10, 2024 15:11
@VGabriel45
Copy link

VGabriel45 commented Aug 12, 2024
edited
Loading

Hang on.. in any case we should probably use oz ECDSA library directly instead of making s checks in our code.

It uses the same logic as in the OZ ECDSA library, the signature with the lower 's' value is considered valid.
If we only need this check I think using the OZ ECDSA library will just increase the code size even more.
@livingrockrises @Aboudjem

@Aboudjem
Copy link
Contributor Author

Hang on.. in any case we should probably use oz ECDSA library directly instead of making s checks in our code.

It uses the same logic as in the OZ ECDSA library, the signature with the lower 's' value is considered valid. If we only need this check I think using the OZ ECDSA library will just increase the code size even more. @livingrockrises @Aboudjem

I agree with the code size concerns, that's something that will need to fix after the remediations.

But Libraries works in a way that it will extend the code size only for the used functions, so it will not add the whole library codesize

@livingrockrises
Copy link
Contributor

Yeah you aren't inheriting really so it's not a codesize thing..
anyway I confirmed with spearbit auditors that this is not an issue so I am going to cancel this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filmakarov filmakarov Awaiting requested review from filmakarov

@ankurdubey521 ankurdubey521 Awaiting requested review from ankurdubey521

@VGabriel45 VGabriel45 Awaiting requested review from VGabriel45

@livingrockrises livingrockrises Awaiting requested review from livingrockrises

Assignees

@Aboudjem Aboudjem

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Aboudjem @livingrockrises @VGabriel45