Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[M-01] Potential Signature Malleability and Replay Attack Vulnerability in Claim Verification #50

Open
softstackio opened this issue Sep 9, 2024 · 0 comments
Open

[M-01] Potential Signature Malleability and Replay Attack Vulnerability in Claim Verification #50

softstackio opened this issue Sep 9, 2024 · 0 comments

Comments

@softstackio
Copy link

softstackio commented Sep 9, 2024
edited
Loading

Description:
The claimMessageMatchesSignature function in the ClaimContract uses the Solidity ecrecover function directly to verify signatures. This implementation is vulnerable to signature malleability, which could potentially lead to replay attacks or other security issues.

Impact:

  1. Signature Malleability: The ecrecover EVM opcode allows for malleable (non-unique) signatures. For every valid signature (r,s,v), there exists another valid signature (r,-s mod N,v') for the same message and signer.
  2. Potential for Replay Attacks: While the current implementation may not be directly vulnerable to replay attacks due to other safeguards (like balance checks), the use of malleable signatures is considered a security risk and could become problematic if the contract is modified or integrated with other systems.
  3. Inconsistent Signature Verification: Malicious actors could potentially create multiple valid signatures for the same message, which could lead to unexpected behavior or confusion in logging and auditing processes.

The vulnerability is present in the following part of the claimMessageMatchesSignature function:
return ecrecover(messageHash, _v, _r, _s) == pubKeyEthAddr;

This direct use of ecrecover does not protect against signature malleability.

Proof of Concept:

  1. A valid signature (r, s, v) is created for a claim.
  2. An attacker could create a new signature (r, -s mod N, v') which would also be valid for
    the same claim.
  3. Both signatures would pass the verification in claimMessageMatchesSignature.

Recommended Mitigation Steps:

  1. Use OpenZeppelin's ECDSA library for signature verification:
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
function claimMessageMatchesSignature(
   address _claimToAddr,
   bytes memory _postFix,
   bytes32 _pubKeyX,
   bytes32 _pubKeyY,
   uint8 _v,
   bytes32 _r,
   bytes32 _s
) public view returns (bool) {
   bytes32 messageHash = getHashForClaimMessage(_claimToAddr, _postFix);
   address signer = ECDSA.recover(messageHash, _v, _r, _s);
   return signer != address(0) && signer == pubKeyToEthAddress(_pubKeyX,
_pubKeyY); }
  1. Implement additional checks to ensure the signature components are within valid ranges:
require(_s <=
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
"Invalid signature 's' value");
  1. Consider implementing a nonce system for each claim to prevent any possibility of replay attacks:
mapping(bytes20 => uint256) public nonces;
function claimMessageMatchesSignature(
   // ... existing parameters ...
   uint256 nonce
) public view returns (bool) {
   require(nonce == nonces[oldAddress], "Invalid nonce");
   // ... rest of the function ...
}
@softstackio softstackio changed the title [M-01] Signature Malleability in Ecrecover [M-01] Potential Signature Malleability and Replay Attack Vulnerability in Claim Verification Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@softstackio