Platform: Code4rena
Start Date: 08/01/2024
Pot Size: $83,600 USDC
Total HM: 23
Participants: 116
Period: 10 days
Judge: 0xean
Total Solo HM: 1
Id: 317
League: ETH
Rank: 116/116
Findings: 1
Award: $1.80
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BI_security
Also found by: 0xPsuedoPandit, 0xpiken, ABAIKUNANBAEV, Beepidibop, CipherSleuths, EV_om, Giorgio, Hajime, J4X, KingNFT, KupiaSec, NentoR, SBSecurity, SpicyMeatball, Tendency, Ward, ZdravkoHr, boringslav, deepplus, hals, hash, haxatron, jasonxiale, juancito, pkqs90, plasmablocks, ravikiranweb3, rokinot, rvierdiiev, trachev, zaevlad, zzebra83
1.8029 USDC - $1.80
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/packages/Signer.sol#L394-L400 https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/packages/Signer.sol#L406
Signer.sol is inherited by the Create and Stop policies where it's functions are used for the verification of the rental data. Unfortunately some of the type structs are encoded with violation of the EIP712 standards, this will result in in improper payload verification.
https://eips.ethereum.org/EIPS/eip-712#definition-of-encodetype According to EIP712 standard
If the struct type references other struct types (and these in turn reference even more struct types), then the set of referenced struct types is collected, sorted by name and appended to the encoding. An example encoding is Transaction(Person from,Person to,Asset tx)Asset(address token,uint256 amount)Person(address wallet,string name).
orderMetadataTypeHash is constructed with violation of this rule
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/packages/Signer.sol#L406
bytes memory orderMetadataTypeString = abi.encodePacked( "OrderMetadata(uint8 orderType,uint256 rentDuration,Hook[] hooks,bytes emittedExtraData)" ); orderMetadataTypeHash = keccak256(orderMetadataTypeString);
as we can see that the Hook struct was not included in the hash
rentPayloadTypeHash includes referenced structs orderMetadata and orderFulfillment in the hash, however they were not sorted by name
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/packages/Signer.sol#L394-L400
bytes memory rentPayloadTypeString = abi.encodePacked( "RentPayload(OrderFulfillment fulfillment,OrderMetadata metadata,uint256 expiration,address intendedFulfiller)" ); // Derive RentPayload type hash via combination of relevant type strings. rentPayloadTypeHash = keccak256( abi.encodePacked( rentPayloadTypeString, orderMetadataTypeString, orderFulfillmentTypeString ) );
Manual review
Encode rentPayloadTypeHash and orderMetadataTypeHash with respect to EIP712 rules
// Derive RentPayload type hash via combination of relevant type strings. rentPayloadTypeHash = keccak256( abi.encodePacked( rentPayloadTypeString, orderFulfillmentTypeString, orderMetadataTypeString ) ); // Derive the OrderMetadata type hash using the corresponding type string. orderMetadataTypeHash = keccak256(abi.encode(orderMetadataTypeString, hookTypeString)); }
en/de-code
#0 - c4-pre-sort
2024-01-21T17:50:19Z
141345 marked the issue as duplicate of #239
#1 - c4-judge
2024-01-28T21:04:50Z
0xean marked the issue as satisfactory