fix: task replay directed at same operator set #1629
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0xrajath
added
⚖️ Audit Fix
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a security vulnerability where certificates could be replayed across different tasks directed at the same operator set. The fix changes the message hash from being based solely on the result to including both the task hash and result, preventing cross-task certificate replay attacks.
- Updates message hash calculation to include task hash in addition to result data
- Adds new test cases to verify certificate replay attacks are prevented
- Updates all existing test helper functions and test cases to use the new message hash format
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/contracts/avs/task/TaskMailbox.sol | Implements new getMessageHash function and updates certificate verification to use task-specific message hashes |
| src/contracts/interfaces/ITaskMailbox.sol | Adds interface declaration for the new getMessageHash function |
| src/test/unit/TaskMailboxUnit.t.sol | Updates test helper functions and adds comprehensive test coverage for certificate replay prevention |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bdchatham
reviewed
Sep 17, 2025
nadir-akhtar
approved these changes
Sep 18, 2025
0xrajath
added a commit
to Layr-Labs/eigenlayer-middleware
that referenced
this pull request
Sep 18, 2025
**Motivation:** Bumping up the core submodule to pull in the following changes: Layr-Labs/eigenlayer-contracts#1629 **Modifications:** * Latest `eigenlayer-contracts` changes **Result:** Fixes SigmaPrime: `ELHG-02` finding.
hashmap0x
added a commit
to hashmap0x/eigenlayer-middleware
that referenced
this pull request
Sep 23, 2025
**Motivation:** Bumping up the core submodule to pull in the following changes: Layr-Labs/eigenlayer-contracts#1629 **Modifications:** * Latest `eigenlayer-contracts` changes **Result:** Fixes SigmaPrime: `ELHG-02` finding.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Fixing a bug where a random actor could permissionlessly call
TaskMailbox::submitResultwith an old cert+result combination (as long as the cert is not stale) but for a completely different task directed at the same operator set in the TaskMailbox. This could lead to DoS of the taskCreator.Modifications:
The
messageHashof the cert now iskeccak256(abi.encode(taskHash, result))instead of justkeccak256(result). This ensures that the messageHash is applicable only for a specific task and can't be replayed across tasks.Result:
Fixes
SigmaPrime: ELHG-02finding.