NativeMetaTransaction Manual Review Findings

NMT-01M: Insecure Elliptic Curve Recovery Mechanism

Description:

The ecrecover function is a low-level cryptographic function that should be utilized after appropriate sanitizations have been enforced on its arguments, namely on the s and v values. This is due to the inherent trait of the curve to be symmetrical on the x-axis and thus permitting signatures to be replayed with the same x value (r) but a different y value (s).

Example:

Copy
88function verify(
89    address signer,
90    MetaTransaction memory metaTx,
91    bytes32 sigR,
92    bytes32 sigS,
93    uint8 sigV
94) internal view returns (bool) {
95    require(signer != address(0), "NativeMetaTransaction: INVALID_SIGNER");
96    return
97        signer ==
98        ecrecover(
99            toTypedMessageHash(hashMetaTransaction(metaTx)),
100            sigV,
101            sigR,
102            sigS
103        );
104}

Recommendation:

We advise them to be sanitized by ensuring that v is equal to either 27 or 28 (v ∈ {27, 28}) and to ensure that s is existent in the lower half order of the elliptic curve (0 < s < secp256k1n ÷ 2 + 1) by ensuring it is less than 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A1. A reference implementation of those checks can be observed in the ECDSA library of OpenZeppelin and the rationale behind those restrictions exists within Appendix F of the Yellow Paper.

Alleviation:

Proper validation of the ECDSA recovery signature parameters is now performed.