fix: revert on invalid signature in receiveMessage to prevent griefing #1251
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grasphoper
reviewed
Jan 16, 2026
| // Validate the quote and the signature. Revert on invalid to prevent griefing attacks | ||
| // where an attacker provides correct message/attestation but invalid signature. | ||
| _validateQuoteOrRevert(quote, signature); | ||
| _getMainStorage().usedNonces[quote.nonce] = true; |
Contributor
There was a problem hiding this comment.
Should we avoid an extra SLOAD here and just do this before _validateQuoteOrRevert and pass MainStorage down as an arg?
* add Arbitrum_Adapter.t.sol Signed-off-by: Ihor Farion <ihor@umaproject.org> * refactor Signed-off-by: Ihor Farion <ihor@umaproject.org> * add more asserts to the new test Signed-off-by: Ihor Farion <ihor@umaproject.org> * address incorrect constants usage Signed-off-by: Ihor Farion <ihor@umaproject.org> * chore: move tests from `chain-adapter` folder (#1233) * add CLAUDE.md Signed-off-by: Ihor Farion <ihor@umaproject.org> * plan out all tasks Signed-off-by: Ihor Farion <ihor@umaproject.org> * migrate ethereum adapter test Signed-off-by: Ihor Farion <ihor@umaproject.org> * remove Succinct_Adapter from migration tasks Signed-off-by: Ihor Farion <ihor@umaproject.org> * address incorrect constants usage Signed-off-by: Ihor Farion <ihor@umaproject.org> * migrate Arbitrum_SendTokensAdapterTest Signed-off-by: Ihor Farion <ihor@umaproject.org> * migrate Solana_Adapter Signed-off-by: Ihor Farion <ihor@umaproject.org> * port Optimism_Adapter.ts: first draft * improve the testing pattern Signed-off-by: Ihor Farion <ihor@umaproject.org> * port scroll adapter test: impl v0 * improve impl Signed-off-by: Ihor Farion <ihor@umaproject.org> * update TASKS.md with mockCall info Signed-off-by: Ihor Farion <ihor@umaproject.org> * port PolygonZkEVM adapter test Signed-off-by: Ihor Farion <ihor@umaproject.org> * port linea adapter test Signed-off-by: Ihor Farion <ihor@umaproject.org> * update CLAUDE.md Signed-off-by: Ihor Farion <ihor@umaproject.org> * migrate Polygon Adapter tests Signed-off-by: Ihor Farion <ihor@umaproject.org> * consolidate some common functionality Signed-off-by: Ihor Farion <ihor@umaproject.org> * update TASKS Signed-off-by: Ihor Farion <ihor@umaproject.org> * remove tasks Signed-off-by: Ihor Farion <ihor@umaproject.org> --------- Signed-off-by: Ihor Farion <ihor@umaproject.org> * port OP_Adapter test Signed-off-by: Ihor Farion <ihor@umaproject.org> * remove ported hardhat tests Signed-off-by: Ihor Farion <ihor@umaproject.org> * move chain adapter tests to chain-adapters/ Signed-off-by: Ihor Farion <ihor@umaproject.org> * fix import paths for chain adapter tests + add missing asserts to arbitrum-adapter tests Signed-off-by: Ihor Farion <ihor@umaproject.org> * complete Arbitrum_SendTokensAdapter test --------- Signed-off-by: Ihor Farion <ihor@umaproject.org>
This fix addresses ACP-27 where an attacker could grief users by front-running receiveMessage with valid CCTP message/attestation but an invalid signature. Previously, this would cause the transaction to succeed with fallback behavior, consuming the CCTP nonce and causing the user to lose sponsorship and custom EVM actions. Changes: - Replace _isQuoteValid() with _validateQuoteOrRevert() that reverts with specific errors (InvalidSignature, InvalidNonce, InvalidDeadline) - Remove conditional fallback logic since validation now reverts - Update tests to expect reverts instead of fallback behavior - Add griefing attack prevention tests Now when an attacker submits an invalid signature, the entire transaction reverts, preserving the CCTP nonce so the legitimate caller can still submit with the correct signature. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fusmanii
force-pushed
the
faisal/acp-27-consider-reverting-on-invalid-sig-for-receivemessage
branch
from
0721678 to
038cf19
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fix addresses ACP-27 where an attacker could grief users by front-running receiveMessage with valid CCTP message/attestation but an invalid signature. Previously, this would cause the transaction to succeed with fallback behavior, consuming the CCTP nonce and causing the user to lose sponsorship and custom EVM actions.
Changes:
Now when an attacker submits an invalid signature, the entire transaction reverts, preserving the CCTP nonce so the legitimate caller can still submit with the correct signature.