Omniscia Gnosis Guild Audit

CowswapOrderSigner Manual Review Findings

CowswapOrderSigner Manual Review Findings

COS-01M: Inexistent Exposure of Inverse Operation

Description:

The CowswapOrderSigner contract exposes a CowswapOrderSigner::signOrder function to register a pre-signed order in the Cowswap system, however, no method exists to reverse this operation via the GPv2Signing::setPreSignature function with a false argument.

Impact:

While the recommendation to include this feature to the CowswapOrderSigner is valid, it was still possible to directly interact with the CowSwap system to disable a particular pre-signature. As such, we consider this exhibit to be of "minor" severity.

Example:

contracts/CowswapOrderSigner.sol
12contract CowswapOrderSigner {
13    using GPv2Order for GPv2Order.Data;
14

15    GPv2Signing public immutable signing;
16    bytes32 immutable domainSeparator;
17    address immutable deployedAt;
18

19    constructor(GPv2Signing _signing) {
20        signing = _signing;
21        domainSeparator = _signing.domainSeparator();
22        deployedAt = address(this);
23    }
24

25    function signOrder(
26        GPv2Order.Data calldata order,
27        uint32 validDuration, // seconds
28        uint256 feeAmountBP // basis points
29    ) external {
30        require(address(this) != deployedAt, "DELEGATECALL only");
31        require(
32            block.timestamp + validDuration > order.validTo,
33            "Dishonest valid duration"
34        );
35        require(
36            order.feeAmount <= (order.sellAmount * feeAmountBP) / 10000 + 1,
37            "Fee too high"
38        );
39

40        // compute order UID
41        bytes32 orderDigest = order.hash(domainSeparator);
42        bytes memory orderUid = new bytes(GPv2Order.UID_LENGTH);
43        GPv2Order.packOrderUidParams(
44            orderUid,
45            orderDigest,
46            address(this),
47            order.validTo
48        );
49

50        signing.setPreSignature(orderUid, true);
51    }
52}

Recommendation:

We advise such functionality to be introduced, preferably with no require checks in relation to the validTo and feeAmount members, ensuring that the logic of the CowswapOrderSigner which can be executed via delegatecall operations enables the de-authorization of pre-signed Cowswap orders.

Alleviation (da3062f6b3ff452092a0b6daa6f226f0f3b696c6):

A new method was introduced labelled as CowswapOrderSigner::unsignOrder that permits the pre-signature of an order to be set to false, alleviating this exhibit in full.

Prev

CowswapOrderSigner.sol (COS-S)

Next

GPv2Signing.sol (GPS-M)

On this page