Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Darinrikusham - Signature entered in createAttestation function in EthosAttestation contract could lead to anyone using signature for malicious purpose for other profileId #298

Open
sherlock-admin2 opened this issue Nov 4, 2024 · 0 comments
Open

Darinrikusham - Signature entered in createAttestation function in EthosAttestation contract could lead to anyone using signature for malicious purpose for other profileId #298

sherlock-admin2 opened this issue Nov 4, 2024 · 0 comments
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Nov 4, 2024
edited by sherlock-admin4
Loading

Darinrikusham

High

Signature entered in createAttestation function in EthosAttestation contract could lead to anyone using signature for malicious purpose for other profileId

Summary

Due to abi.encodePacked() method used for hashing and validating signature with Input params which has profileId and randValue of type uint256 as adjacent params in createAttestation function could lead to anyone using signature for other profileId then for which Ethos signer has signed for it.

Root Cause

Due to use of abi.encodePacked() in the underlying function to validate and check input with signature in which profileId and randValue are two adjacent inputs of type uint256 which could be used in different format of input to use the same signature and exploit it.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  • For example User with profileId 223 requested to createAttestation and Ethos generate randValue for example 356 and user passed in the other params and retrieved the signature from Ethos.
  • Someone with profileId 22 observed this transaction and used combination of profileId value 22 and randValue 3356 with other inputs remaining same can use the same signature before the above transaction gets signed from mempool

Impact

  • Anyone can observe transaction from mempool and exploit the signature to be used for their own needs leading to various attack vectors one of which being making account and service value non-usable for original user for which Ethos signed the particular transaction.
  • This could lead to DOS for original user and can also lead to further attach vectors in other functionalities in protocol.

PoC

No response

Mitigation

This issue can be mitigated by using of abi.encode() instead of abi.encodePacked() or can change input param combination such that profileId and randValue are not adjacent.
@sherlock-admin4 sherlock-admin4 changed the title Tart Coral Jay - Signature entered in createAttestation function in EthosAttestation contract could lead to anyone using signature for malicious purpose for other profileId Darinrikusham - Signature entered in createAttestation function in EthosAttestation contract could lead to anyone using signature for malicious purpose for other profileId Nov 20, 2024
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed labels Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3