Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UniStaker contract uses signature that do not have expiration #231

Closed
c4-bot-6 opened this issue Mar 4, 2024 · 7 comments
Closed

UniStaker contract uses signature that do not have expiration #231

c4-bot-6 opened this issue Mar 4, 2024 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-205 grade-b 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-6
Copy link
Contributor

c4-bot-6 commented Mar 4, 2024

Lines of code

https://github.com/uniswapfoundation/UniStaker/blob/d745dd2a393f4b6a35bca2fd72f4cd198840c081/src/UniStaker.sol#L324

Vulnerability details

Impact

When a user creates a signature operation for the UniStaker contract there is no any expiration time for this operation. That means that once, the signer has signed the signature for the user it can use it for the end of life.

Proof of Concept

All UniStaker method that use signatures do not make use of an expiration parameter

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L315
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L382
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L423
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L466
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L512
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L544

like is done in UNI token implementation in the methods delegateBySig or permit:

Tools Used

Manual review

Recommended Mitigation Steps

Add expiration parameter to the signature and the function using the signatures. Do not forget to also make use of the expiration parameter like in this example :

require(now <= expiry, "Uni::delegateBySig: signature expired"); // 'now' was deprecated in solidity 0.7.0 better to use block.timestamp in newer applications

for example here is a sample implementation for the UniStaker#withdrawOnBehalf method:

    function withdrawOnBehalf(
        DepositIdentifier _depositId,
        uint256 _amount,
+       uint256 _expiry,
        address _depositor,
        bytes memory _signature
    ) external {
+       if (block.timestamp > _expiry) revert SignatureIsExpired();
        ...
    }

Assessed type

Other
@c4-bot-6 c4-bot-6 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 4, 2024
c4-bot-2 added a commit that referenced this issue Mar 4, 2024
@c4-bot-2
imare issue #231
e2c70bf
@c4-bot-11 c4-bot-11 added the 🤖_128_group AI based duplicate group recommendation label Mar 5, 2024
@c4-judge c4-judge closed this as completed Mar 7, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as duplicate of #69

@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as not a duplicate

@c4-judge c4-judge reopened this Mar 7, 2024
@c4-judge c4-judge closed this as completed Mar 7, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as duplicate of #205

@c4-judge
Copy link
Contributor

MarioPoneder changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax grade-b and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 14, 2024
@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as grade-b

@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by MarioPoneder

@c4-judge c4-judge reopened this Mar 17, 2024
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Mar 17, 2024
@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Mar 17, 2024
@CloudEllie CloudEllie added unsatisfactory does not satisfy C4 submission criteria; not eligible for awards and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-205 grade-b 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CloudEllie @c4-judge @c4-bot-6 @c4-bot-11