Skip to content

Latest commit

 

History

History
61 lines (50 loc) · 1.7 KB

025.md

File metadata and controls

61 lines (50 loc) · 1.7 KB

Proud Tartan Lynx

Medium

Signature Must Contain the ChainId

Summary

In GovernanceStakerOnBehalf.sol, the signature must include the ChainId.

Root Cause

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/extensions/GovernanceStakerOnBehalf.sol#L180

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

N/A

Impact

If someone has a depositId on defferent chain, their signature could be valid on the other chain. In particular, the deposit's claimer on one chain, which is using larger nonce, can claim the deposit's from the other chain.

PoC

GovernanceStakerOnBehalf.sol
180:    function alterClaimerOnBehalf(
            DepositIdentifier _depositId,
            address _newClaimer,
            address _depositor,
            uint256 _deadline,
            bytes memory _signature
        ) external virtual {
            Deposit storage deposit = deposits[_depositId];
            _revertIfNotDepositOwner(deposit, _depositor);
            _revertIfPastDeadline(_deadline);
            _revertIfSignatureIsNotValidNow(
                _depositor,
                _hashTypedDataV4(
                    keccak256(
                        abi.encode(
                            ALTER_CLAIMER_TYPEHASH,
                            _depositId,
                            _newClaimer,
                            _depositor,
                            _useNonce(_depositor),
                            _deadline
                        )
                    )
                ),
                _signature
            );

            _alterClaimer(deposit, _depositId, _newClaimer);
        }

Mitigation

The Signature must contain the ChainId.