Omniscia Tokemak Network Audit

DelegateFunction Manual Review Findings

DFN-01M: Contract-Based Nonce System Race Condition

Type	Severity	Location
Logical Fault	Minor	DelegateFunction.sol:L112, L118, L158, L165, L208, L215

Description:

The delegateWithEIP1271 function utilizes a contract-level nonce system that can cause race conditions to arise should multiple users attempt to submit a valid EIP-1271 signature for the same nonce.

Example:

contracts/delegation/DelegateFunction.sol

111function delegateWithEIP1271(
112    address contractAddress,
113    DelegatePayload memory delegatePayload,
114    bytes memory signature,
115    SignatureType signatureType
116) external override whenNotPaused {
117    bytes32 delegatePayloadHash = _hashDelegate(delegatePayload, signatureType);
118    _verifyNonce(contractAddress, delegatePayload.nonce);
119
120    _verifyIERC1271Signature(contractAddress, delegatePayloadHash, signature);
121
122    _delegate(contractAddress, delegatePayload.sets);
123}

Recommendation:

We advise this trait of the system to be evaluated as it can cause significant usability issues.

Alleviation:

The Tokemak team has stated that they do not envision the race-behaviour to materialize in real-world use cases as the function is meant to be seldomly invoked.

Omniscia Tokemak Network Audit

DelegateFunction Manual Review Findings

DelegateFunction Manual Review Findings

DFN-01M: Contract-Based Nonce System Race Condition

Description:

Example:

Recommendation:

Alleviation:

BalanceTracker.sol (BTR-M)

EthPool.sol (EPL-M)

On this page