{"componentChunkName":"component---node-modules-rocketseat-gatsby-theme-docs-core-src-templates-docs-query-js","path":"/manual-review/EIP712Lib-EIP","result":{"data":{"mdx":{"id":"260f0188-7e28-5ccf-8a30-17457a1ea173","excerpt":"EIP-01M: Limiting Signature Verification Process Type Severity Location Logical Fault EIP712Lib.sol:L50-L52 ,  L69-L71 ,  L73-L85 Description: The  EIP712Lib…","fields":{"slug":"/manual-review/EIP712Lib-EIP/"},"frontmatter":{"title":"EIP712Lib Manual Review Findings","description":"Contains all the findings that relate to manual review on the contract codebase","image":null,"disableTableOfContents":null},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {\n  \"title\": \"EIP712Lib Manual Review Findings\",\n  \"description\": \"Contains all the findings that relate to manual review on the contract codebase\"\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n      props = _objectWithoutProperties(_ref, _excluded);\n\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"span-ideip-01meip-01m-limiting-signature-verification-processspan\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#span-ideip-01meip-01m-limiting-signature-verification-processspan\",\n    \"aria-label\": \"span ideip 01meip 01m limiting signature verification processspan permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), mdx(\"span\", {\n    id: \"EIP-01M\"\n  }, \"EIP-01M: Limiting Signature Verification Process\")), mdx(\"table\", null, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Type\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Severity\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Location\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"/reports/boson-protocol-version-2.5.0-68d13ccd7155940015e05fd3/appendix/finding-types#logical-fault\"\n  }, \"Logical Fault\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"img\", {\n    parentName: \"td\",\n    \"className\": \"o-severity o-minor\",\n    \"src\": \"https://omniscia.io/report-assets/minor.png\"\n  })), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/bosonprotocol/boson-protocol-contracts/blob/6a14c31bead936ed03b2d51ab82010ecd1047f40/contracts/protocol/libs/EIP712Lib.sol#L50-L52\"\n  }, \"EIP712Lib.sol:L50-L52\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/bosonprotocol/boson-protocol-contracts/blob/6a14c31bead936ed03b2d51ab82010ecd1047f40/contracts/protocol/libs/EIP712Lib.sol#L69-L71\"\n  }, \"L69-L71\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/bosonprotocol/boson-protocol-contracts/blob/6a14c31bead936ed03b2d51ab82010ecd1047f40/contracts/protocol/libs/EIP712Lib.sol#L73-L85\"\n  }, \"L73-L85\"))))), mdx(\"h3\", {\n    \"id\": \"description\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#description\",\n    \"aria-label\": \"description permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Description:\"), mdx(\"p\", null, \"The \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://github.com/bosonprotocol/boson-protocol-contracts/blob/6a14c31bead936ed03b2d51ab82010ecd1047f40/contracts/protocol/libs/EIP712Lib.sol#L60-L121\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"a\"\n  }, \"EIP712Lib::verify\")), \" function is meant to verify that a particular hashed message has been authorized either through \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-1271\"\n  }, \"EIP-1271\"), \" or signature validation.\"), mdx(\"p\", null, \"The current approach's error handling seems inconsistent, as the function implies a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"revert\"), \" will occur if the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"_user\"), \" is a contract that does not implement \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-1271\"\n  }, \"EIP-1271\"), \" which is not the case.\"), mdx(\"p\", null, \"Additionally, the implementation does not seem to account for smart accounts (EIP-7702) and will fatally \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"revert\"), \" in case \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-1271\"\n  }, \"EIP-1271\"), \" is not adhered to strictly even though signature validation might ultimately succeed.\"), mdx(\"h3\", {\n    \"id\": \"impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#impact\",\n    \"aria-label\": \"impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Impact:\"), mdx(\"p\", null, \"The documentation presently implies a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"revert\"), \" case that is unfulfilled, and will \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"revert\"), \" in certain edge cases that would otherwise succeed in signature validation of the previous implementation.\"), mdx(\"h3\", {\n    \"id\": \"example\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#example\",\n    \"aria-label\": \"example permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-sol\",\n    \"metastring\": \"title=contracts/protocol/libs/EIP712Lib.sol highlight={7,8,9,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43} lineNumbers=true lineOffset=43\",\n    \"title\": \"contracts/protocol/libs/EIP712Lib.sol\",\n    \"highlight\": \"{7,8,9,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43}\",\n    \"lineNumbers\": \"true\",\n    \"lineOffset\": \"43\"\n  }, \"/**\\n * @notice Verifies that the signer really signed the message.\\n * It works for both ECDSA signatures and ERC1271 signatures.\\n *\\n * Reverts if:\\n * - Signer is the zero address\\n * - Signer is a contract that does not implement ERC1271\\n * - Signer is a contract that implements ERC1271 but returns an unexpected value\\n * - Signer is a contract that reverts when called with the signature\\n * - Signer is an EOA but the signature is not a valid ECDSA signature\\n * - Recovered signer does not match the user address\\n *\\n * @param _user  - the message signer\\n * @param _hashedMessage - hashed message\\n * @param _signature - signature. If the signer is EOA, it must be ECDSA signature in the format of (r,s,v) struct, otherwise, it must be a valid ERC1271 signature.\\n */\\nfunction verify(address _user, bytes32 _hashedMessage, bytes calldata _signature) internal {\\n    if (_user == address(0)) revert BosonErrors.InvalidAddress();\\n\\n    bytes32 typedMessageHash = toTypedMessageHash(_hashedMessage);\\n\\n    // Check if user is a contract implementing ERC1271\\n    bytes memory returnData; // Make this available for later if needed\\n    if (_user.code.length > 0) {\\n        bool success;\\n        (success, returnData) = _user.staticcall(\\n            abi.encodeCall(IERC1271.isValidSignature, (typedMessageHash, _signature))\\n        );\\n        if (success) {\\n            if (returnData.length != SLOT_SIZE) {\\n                revert BosonErrors.UnexpectedDataReturned(returnData);\\n            } else {\\n                // Make sure that the lowest 224 bits (28 bytes) are not set\\n                if (uint256(bytes32(returnData)) & type(uint224).max != 0) {\\n                    revert BosonErrors.UnexpectedDataReturned(returnData);\\n                }\\n\\n                if (abi.decode(returnData, (bytes4)) != IERC1271.isValidSignature.selector)\\n                    revert BosonErrors.SignatureValidationFailed();\\n\\n                return;\\n            }\\n        }\\n    }\\n\\n    address signer;\\n    // If the user is not a contract or the call to ERC1271 failed, we assume it's an ECDSA signature\\n    if (_signature.length == 65) {\\n        ECDSASignature memory ecdsaSig = ECDSASignature({\\n            r: bytes32(_signature[0:32]),\\n            s: bytes32(_signature[32:64]),\\n            v: uint8(_signature[64])\\n        });\\n\\n        // Ensure signature is unique\\n        // See https://github.com/OpenZeppelin/openzeppelin-contracts/blob/04695aecbd4d17dddfd55de766d10e3805d6f42f/contracts/cryptography/ECDSA.sol#63\\n        if (\\n            uint256(ecdsaSig.s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0 ||\\n            (ecdsaSig.v != 27 && ecdsaSig.v != 28)\\n        ) revert BosonErrors.InvalidSignature();\\n\\n        signer = ecrecover(typedMessageHash, ecdsaSig.v, ecdsaSig.r, ecdsaSig.s);\\n        if (signer == address(0)) revert BosonErrors.InvalidSignature();\\n    }\\n\\n    if (signer != _user) {\\n        if (returnData.length > 0) {\\n            // In case 1271 verification failed with a revert reason, bubble it up\\n\\n            /// @solidity memory-safe-assembly\\n            assembly {\\n                revert(add(SLOT_SIZE, returnData), mload(returnData))\\n            }\\n        }\\n\\n        revert BosonErrors.SignatureValidationFailed();\\n    }\\n}\\n\")), mdx(\"h3\", {\n    \"id\": \"recommendation\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#recommendation\",\n    \"aria-label\": \"recommendation permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise the code to become \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-7702\"\n  }, \"EIP-7702\"), \" conscious and to not \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"revert\"), \" fatally in its \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-1271\"\n  }, \"EIP-1271\"), \" integration, updating its documented error cases in the process.\"), mdx(\"h3\", {\n    \"id\": \"alleviation-efd5d1a8f23c3bca7c25273ea4c912a367250119\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#alleviation-efd5d1a8f23c3bca7c25273ea4c912a367250119\",\n    \"aria-label\": \"alleviation efd5d1a8f23c3bca7c25273ea4c912a367250119 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Alleviation (efd5d1a8f23c3bca7c25273ea4c912a367250119):\"), mdx(\"p\", null, \"The code was updated to properly proceed with ECDSA validation regardless of the failure that was identified during the \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-1271\"\n  }, \"EIP-1271\"), \" recovery flow, bubbling up the appropriate error should both validations fail.\"), mdx(\"p\", null, \"As such, we consider this exhibit fully alleviated.\"), mdx(ViewDiffButton, {\n    repoUrl: \"https://github.com/bosonprotocol/boson-protocol-contracts\",\n    mainHash: \"6a14c31bead936ed03b2d51ab82010ecd1047f40\",\n    fixHash: \"efd5d1a8f23c3bca7c25273ea4c912a367250119\",\n    gitHubIssue: \"1064\",\n    mdxType: \"ViewDiffButton\"\n  }));\n}\n;\nMDXContent.isMDXComponent = true;","headings":[{"depth":2,"value":"<span id=\"EIP-01M\">EIP-01M: Limiting Signature Verification Process</span>"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Impact:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation (efd5d1a8f23c3bca7c25273ea4c912a367250119):"}]}},"pageContext":{"slug":"/manual-review/EIP712Lib-EIP/","prev":{"label":"DRFeeMutualizer.sol (DRF-M)","link":"/manual-review/DRFeeMutualizer-DRF"},"next":{"label":"ExchangeCommitFacet.sol (ECF-M)","link":"/manual-review/ExchangeCommitFacet-ECF"}}},"staticQueryHashes":["1954253342","2328931024","2501019404","973074209"]}