Omniscia Pirex Audit

ERC20SnapshotSolmate Manual Review Findings

ERC20SnapshotSolmate Manual Review Findings

ERS-01M: Insecure Elliptic Curve Recovery Mechanism

Description:

The ecrecover function is a low-level cryptographic function that should be utilized after appropriate sanitizations have been enforced on its arguments, namely on the s and v values. This is due to the inherent trait of the curve to be symmetrical on the x-axis and thus permitting signatures to be replayed with the same x value (r) but a different y value (s).

Example:

contracts/ERC20SnapshotSolmate.sol
148function permit(
149 address owner,
150 address spender,
151 uint256 value,
152 uint256 deadline,
153 uint8 v,
154 bytes32 r,
155 bytes32 s
156) public virtual {
157 require(deadline >= block.timestamp, "PERMIT_DEADLINE_EXPIRED");
158
159 // Unchecked because the only math done is incrementing
160 // the owner's nonce which cannot realistically overflow.
161 unchecked {
162 address recoveredAddress = ecrecover(
163 keccak256(
164 abi.encodePacked(
165 "\x19\x01",
166 DOMAIN_SEPARATOR(),
167 keccak256(
168 abi.encode(
169 keccak256(
170 "Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
171 ),
172 owner,
173 spender,
174 value,
175 nonces[owner]++,
176 deadline
177 )
178 )
179 )
180 ),
181 v,
182 r,
183 s
184 );
185
186 require(
187 recoveredAddress != address(0) && recoveredAddress == owner,
188 "INVALID_SIGNER"
189 );
190
191 allowance[recoveredAddress][spender] = value;
192 }
193
194 emit Approval(owner, spender, value);
195}

Recommendation:

We advise them to be sanitized by ensuring that v is equal to either 27 or 28 (v ∈ {27, 28}) and to ensure that s is existent in the lower half order of the elliptic curve (0 < s < secp256k1n ÷ 2 + 1) by ensuring it is less than 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A1. A reference implementation of those checks can be observed in the ECDSA library of OpenZeppelin and the rationale behind those restrictions exists within Appendix F of the Yellow Paper.

Alleviation:

The recover function from the ECDSA OpenZeppelin library is now properly used in the codebase preventing the inherent cryptographic attack described from being applicable to the contract.