052.md

Old Navy Gorilla

Medium

Missing nonce in allows signature replay

Summary

Within the function _isSignatureValid there isn't a nonce increment check which allows attackers to perform replay attack griefing previous investment before the deadline.

Root Cause

Within the function _isSignatureValid there isn't a nonce increment check.

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/1791f41b310489aaa66de349ef1b9e4bd331f14b/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol#L212

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. The signer signs a message that does not include a nonce.
2. The signature is intercepted and copied by an attacker from the previous transaction.
3. The attacker is then able to re-use this signature to re-send the transaction setting the original signer investment to 0, griefing investment.

Impact

A griefer/attacker can perform replay attack with previous kyc address's investment and set it to 0, since this is the Invest is the main function it does break the core functionaility

PoC

No response

Mitigation

Include a incrementing nonce everytime Invest function is called.