-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PositionManager
& PermitERC721
Failure to comply with the EIP-4494
#141
Comments
MikeHathaway marked the issue as sponsor confirmed |
Picodes changed the severity to QA (Quality Assurance) |
Downgrading to Low as part of this is out of scope here, and the rest can be considered an instance of "function incorrect as to spec" |
Hi, @Picodes The
We can see that File: ajna-core/src/base/PermitERC721.sol
29: /** @dev Gets the current nonce for a token ID and then increments it, returning the original value */
30: function _getAndIncrementNonce(uint256 tokenId_) internal virtual returns (uint256); This suggests that the Examples:
Thank you |
This previously downgraded issue has been upgraded by Picodes |
1 similar comment
This previously downgraded issue has been upgraded by Picodes |
Picodes marked the issue as satisfactory |
@BhHaipls your point is valid: |
Hey @Picodes, I would like to address the validity of the issue raised in the following link: #145. Considering the usage of nonces, which are also employed in the 'permit' functionality, I believe that this issue should be deemed valid. This is particularly relevant because the '_getAndIncrementNonce' function is directly utilized within the 'permit' feature. It is important to note that PermitERC721 serves as an abstract contract, possessing a critical vulnerability that places an obligation on the PositionManager to implement this vulnerability in its own implementation. Given that the 'PositionManager' contract does not override the aforementioned function, I contend that it is reasonable to make the same assumption as you did when evaluating this issue. This aligns with the understanding that PermitERC721 shifts the responsibility to its descendants. Finally, this means permit is a public function that can and will be used by Ajna users who interact with the PositionManager contract, which is in scope. Thank you for your attention to this matter. Edit: Here are a few similar issues that have been judged similarly:
That being said, I believe #145 should be downgraded to Medium, given the circumstances. |
@bytes032 I am not sure I understand your argument. How is the signature malleability of For |
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L42
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/base/PermitERC721.sol#L77
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/base/PermitERC721.sol#L13
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L57
Vulnerability details
Impact
The contract
PositionManager.sol
inherits fromPermitERC721.sol
, but both contracts incorrectly implement theEIP-4494
standard, which is an important part of the contract. This leads to the following issues:PositionManager
&PermitERC721
are notEIP-4494
compliantpermit
forERC721
EIP-4494
nonces
are currently relevant, leading to the creation of invalid signatures/signatures for the futureProof of Concept
According to the specifications of the standard EIP-4494, the following violations were found:
EIP-4494
requires the implementation ofIERC165
and the indication of support for the interface0x5604e225
, which is not implementedEIP-4494
requires the presence of the functionfunction nonces(uint256 tokenId) external view returns(uint256);
which is missingEIP-4494
requires the functionfunction permit(address spender, uint256 tokenId, uint256 deadline, bytes memory sig) external;
, which is incorrectly declared asTools Used
Recommended Mitigation Steps
Assessed type
Other
The text was updated successfully, but these errors were encountered: