Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SponsorshipPaymaster>Discussion>No domain separator for signed message
GeneralOverview
Findings
Medium (1)
Informational (1)
DiscussionNo domain separator for signed message
Threat ModelWhat are threat models?VerifyingSingletonPaymasterV2.sol
Audit ResultsSummary

No domain separator for signed message

In SponsorshipPaymaster, the hash of the data is calculated as such:

function getHash(/* ... */) public view returns (bytes32) {
	//can't use userOp.hash(), since it contains also the paymasterAndData itself.
	return
		keccak256(
			abi.encode(
				userOp.getSender(),
				userOp.nonce,
				userOp.initCode,
				userOp.callData,
				userOp.callGasLimit,
				userOp.verificationGasLimit,
				userOp.preVerificationGas,
				userOp.maxFeePerGas,
				userOp.maxPriorityFeePerGas,
				block.chainid,
				address(this),
				paymasterId,
				validUntil,
				validAfter,
				priceMarkup
			)
		);
}

There is no domain separator in the signed message structure. Therefore, if another protocol had a signed message structure similar to the one in this message, then there could possibly be a replay attack.

However, due to the inclusion of chainid in the hash, cross-chain replay attacks are mitigated. Additionally, the data includes many unique parameters, such as initCode, which holds bytes for the construction of the account contract; therefore, it is highly improbable that a collision may occur.

Zellic © 2024Back to top ↑