Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Expiry in Signature Verification in the UniStaker contracts #233

Closed
c4-bot-4 opened this issue Mar 4, 2024 · 7 comments
Closed

Missing Expiry in Signature Verification in the UniStaker contracts #233

c4-bot-4 opened this issue Mar 4, 2024 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-205 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-4
Copy link
Contributor

c4-bot-4 commented Mar 4, 2024

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L391
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L322
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L432
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L475
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L521
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L545
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L803

Vulnerability details

Impact

The absence of an expiry timestamp in the signature verification process can lead to potential security vulnerabilities. Malicious actors may delay the usage of certain signatures (and the corresponding operations) to their advantages.

Proof of Concept

In the stakeOnBehalf function, a signature is used to authorize staking on behalf of another user. However, the signature does not include an expiry timestamp, allowing it to be deliberately delayed:

solidityCopy codefunction stakeOnBehalf(
  uint256 _amount,
  address _delegatee,
  address _beneficiary,
  address _depositor,
  bytes memory _signature
) external returns (DepositIdentifier _depositId) {
  _revertIfSignatureIsNotValidNow(
    _depositor,
    _hashTypedDataV4(
      keccak256(
        abi.encode(
          STAKE_TYPEHASH, _amount, _delegatee, _beneficiary, _depositor, _useNonce(_depositor)
        )
      )
    ),
    _signature
  );
  _depositId = _stake(_depositor, _amount, _delegatee, _beneficiary);
}

Similar issues can be found in the other mentioned functions.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Introduce an expiry timestamp as part of the data signed by the user. This timestamp should be checked against the current block timestamp to ensure that the signature is still valid at the time of execution. If the signature has expired, the transaction should be reverted.

Modify the data structure for signing to include an expiry timestamp:

solidityCopy code// Updated type hash with expiry timestamp
bytes32 public constant STAKE_TYPEHASH = keccak256(
  "Stake(uint256 amount,address delegatee,address beneficiary,address depositor,uint256 nonce,uint256 expiry)"
);

// Updated stakeOnBehalf function with expiry check
function stakeOnBehalf(
  uint256 _amount,
  address _delegatee,
  address _beneficiary,
  address _depositor,
  uint256 _expiry,
  bytes memory _signature
) external returns (DepositIdentifier _depositId) {
  require(block.timestamp <= _expiry, "Signature expired");
  _revertIfSignatureIsNotValidNow(
    _depositor,
    _hashTypedDataV4(
      keccak256(
        abi.encode(
          STAKE_TYPEHASH, _amount, _delegatee, _beneficiary, _depositor, _useNonce(_depositor), _expiry
        )
      )
    ),
    _signature
  );
  _depositId = _stake(_depositor, _amount, _delegatee, _beneficiary);
}

Apply similar changes to the other functions that use signatures for authorization.

Assessed type

Access Control
@c4-bot-4 c4-bot-4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 4, 2024
c4-bot-4 added a commit that referenced this issue Mar 4, 2024
@c4-bot-4
0xPluto issue #233
d5f2050
@c4-bot-11 c4-bot-11 added the 🤖_128_group AI based duplicate group recommendation label Mar 5, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as duplicate of #69

@c4-judge c4-judge closed this as completed Mar 7, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as not a duplicate

@c4-judge c4-judge reopened this Mar 7, 2024
@c4-judge c4-judge closed this as completed Mar 7, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as duplicate of #205

@c4-judge c4-judge removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Mar 14, 2024
@c4-judge
Copy link
Contributor

MarioPoneder changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Mar 14, 2024
@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as grade-c

@c4-judge c4-judge reopened this Mar 17, 2024
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Mar 17, 2024
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by MarioPoneder

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Mar 17, 2024
@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as satisfactory

@CloudEllie CloudEllie added unsatisfactory does not satisfy C4 submission criteria; not eligible for awards and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-205 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CloudEllie @c4-judge @c4-bot-4 @c4-bot-11