Lines of code
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/token-implementations/ERC20Permit.sol#L44-L48&gt;

Vulnerability details

Impact

The StandardizedToken contract inherits the ERC20Permit contract which in the case of an upgradable/proxied Token would allow permits for a previous version of the Token to be used on any subsequent version of it.

NOTE that ERC20Permit is not explicitly in scope but used/inherited by StandardizedToken which is in scope.

Proof of Concept

The ERC20Permit @ line 44-48 defines the domain separator as follows

    function _setDomainTypeSignatureHash(string memory name) internal {
        DOMAIN_SEPARATOR = keccak256(
            abi.encode(DOMAIN_TYPE_SIGNATURE_HASH, keccak256(bytes(name)), keccak256(bytes('1')), block.chainid, address(this))
        );
    }

Since the above code would be called by a proxy address(this) will never change, and given that the version is fixed to bytes(‘1’), permits issued before a token implementation upgrade would still be valid after the upgrade.

Tools Used

n/a

Recommended Mitigation Steps

Allow version to be increased between upgrades to ensure a distinct DOMAIN_SEPARATOR at each upgrade.

Assessed type

Access Control

The text was updated successfully, but these errors were encountered:

All reactions