Sushi Trident contest phase 1 - t11s's results

Community-driven DeFi platform

General Information

Platform: Code4rena

Start Date: 16/09/2021

Pot Size: $200,000 SUSHI

Total HM: 26

Participants: 16

Period: 14 days

Judge: alcueca

Total Solo HM: 13

Id: 29

League: ETH

Sushi

Findings Distribution

Researcher Performance

Rank: 16/16

Findings: 1

Award: $115.80

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Sushi

Findings Information

🌟 Selected for report: nikitastupin

Also found by: 0xRajeev, 0xsanson, broccoli, t11s

Labels

bug

duplicate

1 (Low Risk)

sponsor confirmed

Awards

9.2639 SUSHI - $115.80

External Links

Link to GitHub issue

Handle

t11s

Vulnerability details

Impact

If the chain was to fork (or someone was to sign messages to use permit on a local fork), permit signatures made on either fork could be replayed on the other. This could allow users who permit to each other (or contracts that can be upgraded) to steal funds from each other.

Proof of Concept

The DOMAIN_SEPARATOR is set in the constructor, which causes this issue. If block.chainid changes the DOMAIN_SEPARATOR separator will not be updated.

https://github.com/sushiswap/trident/blob/9da0311c5a555fc16e5e18ca0a04fe5895365391/contracts/pool/TridentERC20.sol#L30-L37

This is advised against in the security considerations section of EIP2612: https://eips.ethereum.org/EIPS/eip-2612

"If the DOMAIN_SEPARATOR contains the chainId and is defined at contract deployment instead of reconstructed for every signature, there is a risk of possible replay attacks between chains in the event of a fututre chain split."

Tools Used

None.

Recommended Mitigation Steps

Either compute DOMAIN_SEPARATOR on the fly for each permit or cache a starting value in the constructor, and if chainid changes fall back to recomputing on the fly.

Here are some implementations of this:

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/draft-EIP712.sol https://github.com/yieldprotocol/yield-utils-v2/blob/main/contracts/token/ERC20Permit.sol https://github.com/boringcrypto/BoringSolidity/blob/master/contracts/Domain.sol https://github.com/dapp-org/dappsys-v2/blob/a59e20576ef9febcd8ac350f8fad363e55c5277a/src/token.sol#L96-L98

#0 - maxsam4
2021-09-22T08:54:47Z

I knew this was coming xD

We fixed this in our codebase after your tweet. However, I agree with Dan on this. There are much bigger problems if the network forks than replaying. Therefore, this is an unrealistic scenario with limited impact.

I'd suggest changing the severity to 1.

#1 - alcueca
2021-10-25T05:59:14Z

We could have a long discussion here, and I would prefer to stop reporting this vulnerability as it really is unrealistic. However, the sponsor confirmed and fixed it, so I can't dismiss it.

As a low-effort find, I'm downgrading it to 1 out of respect to real severity 2's found.

#2 - alcueca
2021-10-30T04:40:06Z

Duplicate of #18

Sushi Trident contest phase 1 - t11s's results

Community-driven DeFi platform

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $115.80

QA Report - $115.80

[L-04] Permit signature replay across forks in TridentERC20 - $115.80

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - maxsam42021-09-22T08:54:47Z

#1 - alcueca2021-10-25T05:59:14Z

#2 - alcueca2021-10-30T04:40:06Z

#0 - maxsam4
2021-09-22T08:54:47Z

#1 - alcueca
2021-10-25T05:59:14Z

#2 - alcueca
2021-10-30T04:40:06Z