security: validate messageFrom to prevent identity spoofing#9
security: validate messageFrom to prevent identity spoofing#9paul-research wants to merge 1 commit into
Conversation
Require messageFrom matches actual sender/owner to prevent users from impersonating others in message events. - Add validation in Recibo.sol (5 functions) and ReciboToken.sol (3 functions) - Fix missing spender check in permitWithMsg - Add error messages to all require statements - Update test fixtures accordingly All 103 tests pass. Gas increase: ~500 per call.
Memo indexer findings: messageFrom validation gap affects trust in off-chain memo searchWe built a Transaction Memo Indexer (Tool B) for Arc Testnet that stores and queries In our indexer, we record the event Memo(address indexed sender, address indexed target, bytes32 callDataHash, bytes32 indexed memoId, bytes memo, uint256 memoIndex);The However, if the memo's payload (the Recommendation: any dapp or indexer that reads structured memo payloads should:
The fix proposed in this issue (validating |
Validate messageFrom to prevent spoofing
Problem
messageFrom in ReciboInfo is not validated. Anyone can set it to an arbitrary address:
recibo.sendMsg(ReciboInfo({
messageFrom: PAUL_ADDRESS,
messageTo: victim,
message: encrypted_msg,
metadata: "{}"
}))
// Event shows "Paul sent message" but actual sender was attacker
This will get flagged in audit.
Solution
require(info.messageFrom == msg.sender, "Recibo: messageFrom must match sender");
Applied to all functions in both Recibo.sol and ReciboToken.sol.
Bonus: Added missing spender != address(this) check in permitWithMsg.
Potential pushback & responses
"We're adding AA soon, won't this block relayers?"
Yes, but that's the point. Current design has no signature verification - anyone can spoof.
When we add AA, we'll add separate functions:
sendMsg() - simple, direct calls (this PR)
sendMsgWithSignature() - supports relayers (Phase 2)
Both need to be secure. Can't ship AA with an insecure fallback function.
"But calldata has tx.from, so we can verify off-chain"
Events are for indexing. Not every UI/indexer will parse calldata for tx.from.
Attack vector: phishing notifications ("Circle sent you a message!").
Arc Chain = financial messaging with USDC gas = higher security bar.
"messageFrom is for flexibility"
Without signature verification, it's for spoofing.
AA requires EIP-712 signatures anyway. This PR doesn't prevent AA
Breaking change
Impact: Minimal. Python client already uses sender_address correctly.
Only affects hypothetical relayer code (which doesn't exist yet and would need signatures anyway).