Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 109/144
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
0 USDC - $0.00
https://github.com/code-423n4/2022-10-holograph/blob/main/src/enforcer/HolographERC20.sol#L31 https://github.com/code-423n4/2022-10-holograph/blob/main/src/enforcer/HolographERC20.sol#L382 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/library/ECDSA.sol#L2 https://github.com/code-423n4/2022-10-holograph/blob/main/src/enforcer/HolographERC20.sol#L361
OpenZeppelin has a vulnerability in versions lower than 4.7.3, which can be exploited by an attacker. The project uses a vulnerable version 4.4.1 (See ECDSA.sol#L2)
All of the conditions from the advisory are satisfied: the signature comes in a single bytes argument, ECDSA.recover() (See HolographERC20.sol#L382) is used, and the signatures themselves are used for replay protection checks https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4h98-2769-gh6h
If a user calls permit() (See HolographERC20.sol#L361), notices a mistake, then calls permit() again, an attacker can use signature malleability to re-submit the first change request, as long as the old request has not expired yet.
Manual review
Use at least the patched version of @openzeppelin/contracts 4.7.3.
#0 - gzeoneth
2022-10-28T07:29:33Z
./library is out-of-scope
#1 - gzeoneth
2022-10-30T15:31:05Z
Duplicate of #385
#2 - gzeoneth
2022-11-21T07:17:32Z
As QA report