Huge Navy Condor - wrong implement of verify.

[sherlock-admin3]

Huge Navy Condor

Medium

wrong implement of verify.

Summary

here in the verify function we are not verifying the nonce as we are keeping that value is zero.

Root Cause

https://github.com/sherlock-audit/2024-11-autonomint/blob/main/Blockchain/Blockchian/contracts/Core_logic/CDS.sol#L864
function verify(
bytes memory odosExecutionData,
bytes memory signature
) external view onlyBorrowingContract returns (bool) {
return
_verify(
FunctionName.BORROW_WITHDRAW,
0,
0,
odosExecutionData,
signature
);
}

function _verify(
    FunctionName functionName,
    uint256 excessProfitCumulativeValue,
    uint256 nonce,
    bytes memory odosExecutionData,
    bytes memory signature
) private view returns (bool) {
    bytes32 digest;
    if (functionName == FunctionName.CDS_WITHDRAW) {
        digest = _hashTypedDataV4(
            keccak256(
                abi.encode(
                    keccak256(
                        "Permit(uint256 excessProfitCumulativeValue,uint256 nonce)"
                    ),
                    excessProfitCumulativeValue,
                    nonce
                )
            )
        );
    } else if (functionName == FunctionName.BORROW_WITHDRAW) {
        digest = _hashTypedDataV4(
            keccak256(
                abi.encode(
                    keccak256("OdosPermit(bytes odosExecutionData)"),
                    odosExecutionData
                )
            )
        );
    }

    address signer = ECDSA.recover(digest, signature);
    bytes32 hashedSigner = keccak256(abi.encodePacked(signer));
    if (hashedSigner == hashedAdminTwo) {
        return true;
    } else {
        return false;
    }
}

}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

verify can be replayed.

PoC

No response

Mitigation

donot keep the nonce as zero as constant.