Sushi Trident contest phase 1 - nikitastupin's results

Handle

nikitastupin

Vulnerability details

The DOMAIN_SEPARATOR for permit function is defined in constructor https://github.com/sushiswap/trident/blob/9130b10efaf9c653d74dc7a65bde788ec4b354b5/contracts/pool/TridentERC20.sol#L30-L38. As noted in https://eips.ethereum.org/EIPS/eip-2612#security-considerations this may lead to replay attacks in case of a future chain split.

Scenario is as follows:

1. Suppose at some point a chain split happens. We’re left with two chains. Suppose the first chain has chain ID of 1 and the second chain has chain ID of 2.
2. The victim has the same private key on both chains.
3. The victim signs parameters for permit function off-chain for the first chain.
4. A third-party executes permit function with victim's parameters and signature.
5. An attacker sees parameters and signature on the blockchain, copies them and executes permit function on the second chain.
6. The transaction of an attacker succeeds even though chain ID is equal to 1 and the actual chain ID is 2.
7. Victim’s funds on the second chain are moved in unexpected manner.

Impact

Possible replay attacks on permit function in case of a future chain split

Proof of Concept

I'll write a PoC if needed

Recommended Mitigation Steps

As noted in https://eips.ethereum.org/EIPS/eip-2612#security-considerations retrieve DOMAIN_SEPARATOR each time via function DOMAIN_SEPARATOR() external view returns (bytes32).