This repository has been archived by the owner on Jun 11, 2023. It is now read-only.
obront - If signer gate is deployed to safe with more than 5 existing modules, safe will be bricked #43
Labels
Fix Approved
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
HSG
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
This was referenced Mar 12, 2023
Closed
spengrah
added
HSG
Sponsor Confirmed
|
Based on other findings, considering removing the ability for any other modules to exist alongside HSG. If we go that route, the fix here would likely be to revert if cc @zobront |
|
Great, I agree with that. |
|
zobront added "Fix Approved" label |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
obront
medium
If signer gate is deployed to safe with more than 5 existing modules, safe will be bricked
Summary
HatsSignerGatecan be deployed with a fresh safe or connected to an existing safe. In the event that it is connected to an existing safe, it pulls the first 5 modules from that safe to count the number of connected modules. If there are more than 5 modules, it silently only takes the first five. This results in a mismatch between the real number of modules andenabledModuleCount, which causes all future transactions to revert.Vulnerability Detail
When a
HatsSignerGateis deployed to an existing safe, it pulls the existing modules with the following code:Because the modules are requested paginated with
5as the second argument, it will return a maximum of 5 modules. If the safe already has more than 5 modules, only the first 5 will be returned.The result is that, while the safe has more than 5 modules, the gate will be set up with
enabledModuleCount = 5 + 1.When a transaction is executed,
checkTransaction()will get the hash of the first 6 modules:After the transaction, the first 7 modules will be checked to compare it:
Since it already had more than 5 modules (now 6, with HatsSignerGate added), there will be a 7th module and the two hashes will be different. This will cause a revert.
This would be a high severity issue, except that in the comments for the function it says:
This is the correct recommendation, but given the substantial consequences of getting it wrong, it should be enforced in code so that a safe with more modules reverts, rather than merely suggested in the comments.
Impact
If a HatsSignerGate is deployed and connected to a safe with more than 5 existing modules, all future transactions sent through that safe will revert.
Code Snippet
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateFactory.sol#L124-L141
Tool used
Manual Review
Recommendation
The
deployHatsSignerGate()function should revert if attached to a safe with more than 5 modules:function deployHatsSignerGate( uint256 _ownerHatId, uint256 _signersHatId, address _safe, // existing Gnosis Safe that the signers will join uint256 _minThreshold, uint256 _targetThreshold, uint256 _maxSigners ) public returns (address hsg) { // count up the existing modules on the safe (address[] memory modules,) = GnosisSafe(payable(_safe)).getModulesPaginated(SENTINEL_MODULES, 5); uint256 existingModuleCount = modules.length; + (address[] memory modulesWithSix,) = GnosisSafe(payable(_safe)).getModulesPaginated(SENTINEL_MODULES, 6); + if (modules.length != moduleWithSix.length) revert TooManyModules(); return _deployHatsSignerGate( _ownerHatId, _signersHatId, _safe, _minThreshold, _targetThreshold, _maxSigners, existingModuleCount ); }The text was updated successfully, but these errors were encountered: