Description

BfxU and RabbitU contracts both use the EIP712VerifierU contract for signature verification. During the initialization, the contracts call the function __EIP712VerifierU_init, which takes as input a domain separator to prevent replaying the signature between the Blast and Ethereum chains:

function __EIP712VerifierU_init(string memory domainName, string memory version, address signer) internal initializer {
    require(signer != address(0), "ZERO_SIGNER");
    __EIP712_init(domainName, version);
    external_signer = signer;
}

This domain separator is hashed together with a chain ID and contract address by _buildDomainSeparator to build the message digest during signature verification:

function _buildDomainSeparator() private view returns (bytes32) {
    return keccak256(abi.encode(TYPE_HASH, _EIP712NameHash(), _EIP712VersionHash(), block.chainid, address(this)));
}

However, both BfxU and RabbitU contracts use the same domain separator at initialization:

function initialize(
    // [...]
) public initializer {
    __Ownable_init(_owner);
    __UUPSUpgradeable_init();

    EIP712VerifierU.__EIP712VerifierU_init(
        "RabbitXWithdrawal",
        "1",
        _signer
    );
    // [...]
}

This prevents the purpose of using a domain separator to thwart replay attacks.

Impact

In the current implementation, the chain IDs and the contract addresses are different between contracts and, thus, prevent the replay of the signature, but using the same domain separator for the two different contracts is not best practice.

Recommendations

We recommend to change the BfxU domain separator at initialization according to the name of the application.

Remediation

This issue has been acknowledged by RabbitX, and a fix was implemented in commit a7fa5c60↗.