Powerful Honeysuckle Anteater
High
For CDS withdraw the passed signature nonce is not verified, so anyone could use an outdated excessProfitCumulativeValue signature from admin2.
When doing a CDS withdraw we perform signature verification in CDS.sol in verify(), however the nonce thats passed in, for the signature is not verified, so anyone could re-use any excessProfitCumulativeValue signatures from admin2.
Not verifying if the passed nonce has already been used, when doing CDS withdraw. Reference CDS.sol#L878-L916
function _verify(FunctionName functionName, uint256 excessProfitCumulativeValue, uint256 nonce, bytes memory odosExecutionData, bytes memory signature) private view returns (bool) {
bytes32 digest;
if (functionName == FunctionName.CDS_WITHDRAW) {
digest = _hashTypedDataV4(
keccak256(
abi.encode(
keccak256(
"Permit(uint256 excessProfitCumulativeValue,uint256 nonce)"
),
excessProfitCumulativeValue,
@>> nonce //@audit never verified, just encoded in the signature.
)
)
);
} else if (functionName == FunctionName.BORROW_WITHDRAW) {
....
}
address signer = ECDSA.recover(digest, signature);
bytes32 hashedSigner = keccak256(abi.encodePacked(signer));
if (hashedSigner == hashedAdminTwo) {
return true;
} else {
return false;
}
}- Adversary wants to withdraw a CDS deposit.
- Adversary can re-use old signature from admin2 for the excessProfitCumulativeValue value, to receive more value, as this field is used in the amount to return value calculation:
uint256 currentValue = cdsAmountToReturn(
msg.sender,
index,
omniChainData.cumulativeValue,
omniChainData.cumulativeValueSign,
@>> excessProfitCumulativeValue
) - 1;Adversary can re-use old signature from admin2 for the excessProfitCumulativeValue value, to receive more value, as this field is used in the amount to return value calculation
Verify the nonce passed with one stored in the contract itself.