You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nonce verification is not performed in sequential order.
Summary
In the claim function, the nonce check is not strictly enforced in sequential order, which may lead to frontrunning attacks or re-org and render some users' signatures invalid.
Root Cause
In the claim function, the nonce check does not enforce a strictly incremental requirement.
if (_params.nonce <= nonces[_params.kycAddress]) {
revertInvalidNonce();
}
if (!_isSignatureValid(_params)) {
revertInvalidSignature();
}
// update nonce
nonces[_params.kycAddress] = _params.nonce;
The user receives two signatures with nonce=1 and nonce=2 and can either initiate sequential transactions to execute these two claims or combine both claim calls into a single atomic transaction.
For the first scenario, if a block reorganization occurs and the transaction with nonce=2 is executed first, the contract will update the user's nonce to 2. When the transaction with nonce=1 is later executed, it will fail (revert) because the nonce in the contract no longer matches the nonce in the signature, making the transaction invalid.
For the second scenario, a malicious actor can front-run the user's nonce=2 signautre claim transaction. Once the malicious claim is executed, the user's nonce in the contract will be updated to 2. Consequently, the user's own nonce=2 claim transaction will fail due to a nonce mismatch, and their nonce=1 claim transaction will also be invalidated because the contract's nonce has already been advanced, preventing it from being executed.
Impact
Some of the user's signatures for specific nonces may become invalid and cannot be executed, leading to potential financial losses.
PoC
No response
Mitigation
- if (_params.nonce <= nonces[_params.kycAddress]) {+ if (_params.nonce == nonces[_params.kycAddress] + 1) {
revert InvalidNonce();
}
if (!_isSignatureValid(_params)) {
revert InvalidSignature();
}
// update nonce
nonces[_params.kycAddress] = _params.nonce;
The text was updated successfully, but these errors were encountered:
sherlock-admin3
changed the title
Magnificent Maroon Cuckoo - Nonce verification is not performed in sequential order.
shaflow01 - Nonce verification is not performed in sequential order.
Nov 23, 2024
shaflow01
Medium
Nonce verification is not performed in sequential order.
Summary
In the
claim
function, the nonce check is not strictly enforced in sequential order, which may lead to frontrunning attacks or re-org and render some users' signatures invalid.Root Cause
In the
claim
function, the nonce check does not enforce a strictly incremental requirement.https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/1791f41b310489aaa66de349ef1b9e4bd331f14b/vvv-platform-smart-contracts/contracts/vc/VVVVCTokenDistributor.sol#L115
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
nonce=1
andnonce=2
and can either initiate sequential transactions to execute these two claims or combine bothclaim
calls into a single atomic transaction.nonce=2
is executed first, the contract will update the user'snonce
to 2. When the transaction withnonce=1
is later executed, it will fail (revert
) because thenonce
in the contract no longer matches thenonce
in the signature, making the transaction invalid.nonce=2
signautre claim transaction. Once the malicious claim is executed, the user'snonce
in the contract will be updated to 2. Consequently, the user's ownnonce=2
claim transaction will fail due to a nonce mismatch, and theirnonce=1
claim transaction will also be invalidated because the contract'snonce
has already been advanced, preventing it from being executed.Impact
Some of the user's signatures for specific nonces may become invalid and cannot be executed, leading to potential financial losses.
PoC
No response
Mitigation
The text was updated successfully, but these errors were encountered: