[Lines of code](https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L143-L153) # Vulnerability details ## Bug Description According to the [EIP-712]() specification, arrays are encoded by concatenating its elements and passing the result to keccak256: > The array values are encoded as the keccak256 hash of the concatenated encodeData of their contents (i.e. the encoding of SomeType[5] is identical to that of a struct containing five members of type SomeType). An example of a correct implementation can be seen in [validateUnfollowSignature()](), where the idsOfProfilesToUnfollow array is passed to keccak256 after using abi.encodePacked(): [MetaTxLib.sol#L368]() keccak256(abi.encodePacked(idsOfProfilesToUnfollow)), However, some other functions in MetaTxLib encode arrays differently, which differs from the EIP-712 specification. Some functions do not encode the array at all, and pass the array to abi.encode() alongside other arguments in its struct. For example, in validatePostSignature(), the postParams.actionModules array is not encoded by itself: [MetaTxLib.sol#L143-L153]() abi.encode( Typehash.POST, postParams.profileId, keccak256(bytes(postParams.contentURI)), postParams.actionModules, _hashActionModulesInitDatas(postParams.actionModulesInitDatas), postParams.referenceModule, keccak256(postParams.referenceModuleInitData), _getAndIncrementNonce(signature.signer), signature.deadline ) Other instances of this include: * mirrorParams.referrerProfileIds and mirrorParams.referrerPubIds in [validateMirrorSignature()]() * publicationActionParams.referrerProfileIds and publicationActionParams.referrerPubIds in [validateActSignature()]() * All functions that use [_abiEncode()](), namely [validateCommentSignature()]() and [validateQuoteSignature()]() Secondly, the validateChangeDelegatedExecutorsConfigSignature() function encodes the delegatedExecutors and approvals arrays using abi.encodePacked(), but do not pass it to keccak256: [MetaTxLib.sol#L100-L109]() abi.encode( Typehash.CHANGE_DELEGATED_EXECUTORS_CONFIG, delegatorProfileId, abi.encodePacked(delegatedExecutors), abi.encodePacked(approvals), configNumber, switchToGivenConfig, nonce, deadline ) ## Impact As arrays are encoded incorrectly, the signature verification in the functions listed above is not [EIP-712]() compliant. Contracts or dapps/backends that encode arrays according to the rules specified in [EIP-712]() will end up with different signatures, causing any of the functions listed above to revert when called. Moreover, the inconsistent encoding of arrays might be extremely confusing to developers who wish to use these functions to implement meta-transactions. ## Recommended Mitigation Consider encoding arrays correctly in the functions listed above, which can be achieved by calling abi.encodePacked() on the array and passing its results to keccak256. ## Assessed type Other --- The text was updated successfully, but these errors were encountered: All reactions