Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Mina Token Bridge>Critical findings>Signatures can be replayed
GeneralOverview
Findings
Critical (4)Return value of transferFrom is not checkedSignatures can be replayedValidator public key is not checkedFunction getValidatorIndex returns index of first validator for every public key
High (2)
Medium (1)
Informational (4)
DiscussionUpgradability of Mina contractsSimplifications in validateValidatorMisleading function name
Threat ModelWhat are threat models?Bridge.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Signatures can be replayed

Critical Severity
High Impact
Medium Likelihood

Description

A minter can submit up to three signatures, and if the signatures are validated, they can receive a certain amount of tokens. However, there is no logic to check whether the signatures have already been submitted.

this.validateSig(msg, sig1, validator1, useSig1);
this.validateSig(msg, sig2, validator2, useSig2);
this.validateSig(msg, sig3, validator3, useSig3);
const token = new FungibleToken(tokenAddr)
await token.mint(receiver, amount)
this.emitEvent("Unlock", new UnlockEvent(receiver, tokenAddr, amount, id));

Impact

If a minter once obtains valid signatures that meet or exceed the threshold defined in the contract, they can replay those signatures to drain all the funds from the contract.

Recommendations

Once a signature is validated, record in a state variable that the signature has already been used, ensuring it cannot be replayed in the future.

Remediation

Sotatek acknowledged the finding and provided the following comment:

Mina Bridge is currently operating centrally. The owner is responsible for managing minters, senders, and admins. Therefore, the impact of this issue cannot be externally affected, unless the owner discloses the information. Beside it, we need to fix both the SC and BE, and we need to go to production soon, we will temporarily not fix it.

Zellic © 2025Back to top ↑