Skip to content

Latest commit

 

History

History
27 lines (15 loc) · 1017 Bytes

File metadata and controls

27 lines (15 loc) · 1017 Bytes

Smooth Graphite Tuna

High

# Signature malleability in HatsSignerGate._countValidSignatures

Description

The HatsSignerGate._countValidSignatures function uses the EVM's built-in ecrecover function to count the number of valid signatures. However, ecrecover is susceptible to signature malleability which allows signatures to be slightly modified while still being valid, even without having the private key.

Since number of valid signature check happens in HatsSignerGate.checkTransaction which runs before any Safe transaction executes, an attacker could potentially:

  1. Take a valid signature
  2. Modify it slightly to create a new valid signature
  3. Use this to replay an old transaction that was already executed

Code Snippet

https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L674

Impact

Replaying safe's transaction is possible to replay previously signed transactions

Recommendation

Consider using OpenZeppelin’s ECDSA library.