ERC20 Token Implementation: Name change could result in signature verification failure because of the domain separator mismatch #426
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-146
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Comments
c4-submissions
added
2 (Med Risk)
c4-pre-sort
added
the
sufficient quality report
|
raymondfam marked the issue as sufficient quality report |
|
raymondfam marked the issue as duplicate of #146 |
|
gzeon-c4 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L84
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L48
Vulnerability details
Summary
This report addresses an issue in the ERC20 token implementation, specifically concerning the ability to change the token's name and symbol. While the implementation adheres to the EIP 712 standard for signing permit functions, it has a crucial flaw related to the handling of the token's name. The issue arises when the token's name is changed after the initial setup, leading to incorrect calculations within the DOMAIN_SEPARATOR of the contract. Consequently, this impacts the ability to recover signatures correctly, causing potential failures during signature verification.
Something more - current implementation uses empty string for
namein the DOMAIN_SEPARATOR, because of the factory implementation.Impact
The impact of this issue is not considered high in terms of security, as it does not compromise the integrity of the token's funds or directly expose vulnerabilities to malicious actors. However, it does introduce undesirable consequences. Changing the name of a token should ideally result in the recalibration of the DOMAIN_SEPARATOR to maintain consistency. Failing to do so creates confusion and breaks the standard defined by EIP 712.
The EIP 712 standard specifies that the 'domainName' field within domainSeparator should represent the user-readable name of the signing domain, which includes the DApp or protocol name. When the token's name is changed without updating the DOMAIN_SEPARATOR, it deviates from this standard.
Proof of Concept
NOTE: 1 and 2 from below are different scenarios and for current implementation 1st will always override 2nd
Here are the steps and why in the DOMAIN_SEPARATOR of each token 'name' would be empty string, which is undesired behaviour.
decimalsIf the token's name is subsequently changed using file function
In this scenario, if the original name of the token was "Test token" and it was later changed to "Better name token," a signer would utilise "Better name token" for the domainName value in the hash struct used for the domainSeparator. This change could lead to a perpetual failure in the ecrecover signature verification process, if the signer follows EIP712 standard process, even if all other data remains valid.
Tools Used
Manual Review
Recommended Mitigation Steps
While recalculating the DOMAIN_SEPARATOR is a possible solution, it may introduce complexity and potential issues. Therefore, careful consideration should be given to the best approach for your specific use case and design requirements.
Assessed type
ERC20
The text was updated successfully, but these errors were encountered: