This repository has been archived by the owner on Dec 20, 2024. It is now read-only.
GovernanceStakerOnBehalf nonces can be consumed for any address by any depositor #32
Labels
Low/Info
A Low/Info severity issue.
Description
GovernanceStakerOnBehalf
enables to carry actions on deposits on behalf of another user. These actions can be carried by using off-chain signatures, and nonces are implemented in order to avoid signature replay, which is a standard protection.However for the endpoint
claimRewardOnBehalf
, it is not clear if the signature provided is one of the claimer of the deposit or owner of the deposit (both are accepted).The signature for the claimer of the deposit is tested first, but it uses the nonce even if the signature is invalid for the claimer:
GovernanceStakerOnBehalf.sol#L259:
Nonces.sol#L28-L35:
Scenario
A depositor Bob can bump any nonce for any address Alice by:
In one transaction:
1/ Setting Alice as a claimer for a deposit Bob owns
2/ Call
claimRewardsOnBehalfOf
with Bob signature3/ Reset claimer to Bob controlled address.
Impact
Any action done on
GovernanceStakerOnBehalf
can be DOSed by a malicious actor bumping the nonce on behalf of the victim userRecommendation
Only use the nonce when the signature has been confirmed as valid. Here instead of
_useNonce
, the functionnonces()
can be used to get the nonce:GovernanceStakerOnBehalf.sol#L259:
And then the nonce should be used once the signature has been validated
The text was updated successfully, but these errors were encountered: