Skip to content

Latest commit

 

History

History
42 lines (24 loc) · 1.21 KB

219.md

File metadata and controls

42 lines (24 loc) · 1.21 KB

Mammoth Maroon Trout

High

{actor} will {impact} {affected party}

Summary

https://github.com/sherlock-audit/2024-10-gamma-rewarder/blob/main/GammaRewarder/contracts/brevis/lib/Lib.sol#L80 The EIP-1559 transaction includes an access_list at index 8 in the RLP-encoded list. Your code skips over this field and does not handle it properly. The method for reconstructing the unsigned transaction (unsignedTxRaw) is complex and error-prone. It incorrectly adjusts the RLP length prefixes after removing v, r, and s. The code computes the transaction hash using keccak256(unsignedTxRaw) without including the transaction type byte (0x02) as required by EIP-1559.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

This omission leads to incorrect parsing of subsequent fields (v, r, s), as the indices used are off by one. This leads to an incorrect transaction hash being computed, which in turn results in the wrong sender address being recovered. The computed hash does not match the one used during signing, leading to a failed recovery of the sender’s address.

PoC

No response

Mitigation

No response