041.md

Docile Admiral Trout

High

Missing from address verification in RLP decoding function allows potential transaction origin mismatch

Summary

The decodeTx function in the Tx library parses a raw transaction and recovers the from address using the transaction signature (v, r, s). However, it does not check if this recovered from address matches the one provided in the RLP data, allowing for a potential mismatch. This can lead to unintended issues where the from address may be misinterpreted due to an accidental or incorrect value in the RLP data.

Root Cause

The vulnerability stems from the absence of a validation step to ensure that the from address obtained from the transaction signature matches the from address specified in the RLP data. Without this check, the transaction origin can appear incorrectly, either due to user error or unintended discrepancies or malicious actions.

https://github.com/sherlock-audit/2024-10-gamma-rewarder/blob/475f7fbd0f7c2717ed585a67632e9a675b51c306/GammaRewarder/contracts/brevis/lib/Lib.sol#L80-L131

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. A user prepares a transaction with a specific from address in the RLP data, intending it to represent the sender.
2. However, if the signature's from address differs (due to an error or incorrect signing), the function will decode and present the from address derived from the signature, not from the RLP data.
3. This discrepancy can lead to incorrect transaction interpretation or origin confusion, where the transaction's origin may appear inaccurately.

Impact

Mismatched from addresses may lead to unclear or inaccurate records of transaction origin.

PoC

No response

Mitigation

Add a check to ensure the from address derived from the signature matches the address in the RLP data:

require(info.from == values[8].toAddress(), "Mismatch between RLP 'from' and recovered 'from'");