Omniscia Pirex Audit

ERC20SnapshotSolmate Manual Review Findings

ERC20SnapshotSolmate Manual Review Findings

ERS-01M: Insecure Elliptic Curve Recovery Mechanism

Description:

The ecrecover function is a low-level cryptographic function that should be utilized after appropriate sanitizations have been enforced on its arguments, namely on the s and v values. This is due to the inherent trait of the curve to be symmetrical on the x-axis and thus permitting signatures to be replayed with the same x value (r) but a different y value (s).

Example:

contracts/ERC20SnapshotSolmate.sol
148function permit(
149    address owner,
150    address spender,
151    uint256 value,
152    uint256 deadline,
153    uint8 v,
154    bytes32 r,
155    bytes32 s
156) public virtual {
157    require(deadline >= block.timestamp, "PERMIT_DEADLINE_EXPIRED");
158

159    // Unchecked because the only math done is incrementing
160    // the owner's nonce which cannot realistically overflow.
161    unchecked {
162        address recoveredAddress = ecrecover(
163            keccak256(
164                abi.encodePacked(
165                    "\x19\x01",
166                    DOMAIN_SEPARATOR(),
167                    keccak256(
168                        abi.encode(
169                            keccak256(
170                                "Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
171                            ),
172                            owner,
173                            spender,
174                            value,
175                            nonces[owner]++,
176                            deadline
177                        )
178                    )
179                )
180            ),
181            v,
182            r,
183            s
184        );
185

186        require(
187            recoveredAddress != address(0) && recoveredAddress == owner,
188            "INVALID_SIGNER"
189        );
190

191        allowance[recoveredAddress][spender] = value;
192    }
193

194    emit Approval(owner, spender, value);
195}

Recommendation:

We advise them to be sanitized by ensuring that v is equal to either 27 or 28 (v ∈ {27, 28}) and to ensure that s is existent in the lower half order of the elliptic curve (0 < s < secp256k1n ÷ 2 + 1) by ensuring it is less than 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A1. A reference implementation of those checks can be observed in the ECDSA library of OpenZeppelin and the rationale behind those restrictions exists within Appendix F of the Yellow Paper.

Alleviation:

The recover function from the ECDSA OpenZeppelin library is now properly used in the codebase preventing the inherent cryptographic attack described from being applicable to the contract.

Prev

ERC1155PresetMinterSupply.sol (ERP-M)

Next

PirexCvx.sol (PCV-M)

On this page