safe-global · remedcu · Jul 18, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 16, 2024
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        rule: ['verify4337Module.sh', 'verifyTransactionExecutionMethods.sh', 'verifyValidationData.sh']
+        rule: ['verify4337Module.sh', 'verifyTransactionExecutionMethods.sh', 'verifyValidationData.sh', 'verifySignatureLengthCheck.sh']
     steps:
       - uses: actions/checkout@v3
 

@@ -0,0 +1,16 @@
+{
+    "files": [
+        "certora/harnesses/Safe4337ModuleHarness.sol",
+        "certora/harnesses/Account.sol",
+    ],
+    "loop_iter": "3",
+	"optimistic_loop": true,
+    "msg": "Safe4337Module: Signatures Length Check",
+    "rule_sanity": "basic",
+    "solc": "solc8.23",
+    "verify": "Safe4337ModuleHarness:certora/specs/SignatureLengthCheck.spec",
+    "packages": [
+        "@account-abstraction=../../node_modules/.pnpm/@account-abstraction+contracts@0.7.0/node_modules/@account-abstraction",
+        "@safe-global=../../node_modules/.pnpm/@safe-global+safe-contracts@1.4.1-build.0_ethers@6.13.1_bufferutil@4.0.8_utf-8-validate@5.0.10_/node_modules/@safe-global"
+    ]
+}
@@ -53,6 +53,59 @@ contract Account is Safe {
     function getValidUntilTimestamp(bytes calldata sigs) external pure returns (uint48) {
         return uint48(bytes6(sigs[6:12]));
     }
+
+    /*
+    This function is used to calculate the hash of the signatures in a standard way. This will result in signatures having possible excess data to result in the same hash
+    as the same signatures without the excess data. This is required for formal verification.
+
+    Actual Signature:
+    "0x" +
+    "0000000000000000000000000000000000000000000000000000000000000001 0000000000000000000000000000000000000000000000000000000000000041 00" + // encoded EIP-1271 signature 1
+    "0000000000000000000000000000000000000000000000000000000000000004 deadbeef"                                                              // length of bytes + data of bytes of signature 1
+
+    With Excess Data:
+    "0x" +
+    "0000000000000000000000000000000000000000000000000000000000000001 0000000000000000000000000000000000000000000000000000000000000041 00" + // encoded EIP-1271 signature 1
+    "0000000000000000000000000000000000000000000000000000000000000004 deadbeef"                                                              // length of bytes + data of bytes of signature 1
+    "ffffff"                                                                                                                                 // excess data
+
+    Both will have the same canonical hash: 0xc860b1a81652620308a8138a17ef5105d9b18e6e766516ffd3de9897260d1320
+    */
+    function canonicalSignatureHash(bytes calldata signatures, uint256 safeThreshold) public pure returns (bytes32 canonical) {
+        uint256 dynamicOffset = safeThreshold * 0x41;
+        bytes memory staticPart = signatures[:dynamicOffset];
+        bytes memory dynamicPart = "";
+
+        for (uint256 i = 0; i < safeThreshold; i++) {
+            uint256 ptr = i * 0x41;
+            uint8 v = uint8(signatures[ptr + 0x40]);
+
+            // Check to see if we have a smart contract signature, and if we do, then append
+            // the signature to the dynamic part.
+            if (v == 0) {
+                uint256 signatureOffset = uint256(bytes32(signatures[ptr + 0x20:]));
+                require(signatureOffset >= dynamicOffset, "Invalid signature offset");
+
+                uint256 signatureLength = uint256(bytes32(signatures[signatureOffset:]));
+                require(signatureLength > 0, "Invalid signature length");
+
+                bytes memory signature = signatures[signatureOffset+0x20:][:signatureLength];
+
+                // Make sure to update the static part so that the smart contract signature
+                // points to the "canonical" signature offset (i.e. that all contract
+                // signatures are tightly packed one after the other in order). This ensures
+                // a canonical representation for the signatures.
+                /* solhint-disable no-inline-assembly */
+                assembly ("memory-safe") {
+                    mstore(add(staticPart, add(0x40, ptr)), dynamicOffset)
+                }
+                /* solhint-enable no-inline-assembly */
+                dynamicOffset += signatureLength + 0x20;
+                dynamicPart = abi.encodePacked(dynamicPart, signatureLength, signature);
+            }
+        }
+        canonical = keccak256(abi.encodePacked(staticPart, dynamicPart));
+    }
 }
 
 // @notice This is a harness contract for the rule that verfies the validation data

@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+pragma solidity >=0.8.0;
+import {Safe4337Module} from "./../../contracts/Safe4337Module.sol";
+
+contract Safe4337ModuleHarness is Safe4337Module {
+    constructor(address entryPoint) Safe4337Module(entryPoint) {}
+
+    function checkSignaturesLength(bytes calldata signatures, uint256 threshold) external pure returns (bool) {
+        return _checkSignaturesLength(signatures, threshold);
+    }
+}
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+params=()
+
+if [[ -n "$CI" ]]; then
+    params=("--wait_for_results")
+fi
+
+certoraRun certora/conf/SignatureLengthCheck.conf \
+    "${params[@]}" \
+    "$@"
+
@@ -0,0 +1,17 @@
+using Account as safeContract;
+
+methods {
+    function checkSignaturesLength(bytes, uint256) external returns(bool) envfree;
+
+    // Safe Contract functions
+    function safeContract.canonicalSignatureHash(bytes, uint256) external returns(bytes32) envfree;
+}
+
+// This rule verifies that if excess data is added to the signature, though it could pass in the safe contract's `checkSignatures(...)`,
+// it will be caught within the `_checkSignaturesLength(...)` call, as the dynamic length is checked.
+rule canonicalHashBasedLengthCheck(bytes signatures, bytes griefedSignatures, uint256 threshold) {
+    require safeContract.canonicalSignatureHash(signatures, threshold) == safeContract.canonicalSignatureHash(griefedSignatures, threshold);
+    require signatures.length < griefedSignatures.length;
+
+    assert checkSignaturesLength(signatures, threshold) => !checkSignaturesLength(griefedSignatures, threshold);
+}