Skip to content
This repository has been archived by the owner on Jun 11, 2023. It is now read-only.

Allarious - [Medium][Outdated State] _removeSigner incorrectly updates signerCount and safe threshold #79

Open
sherlock-admin opened this issue Mar 9, 2023 · 3 comments
Labels
Fix Approved Has Duplicates A valid issue with 1+ other issues describing the same vulnerability HSG Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

Allarious

medium

[Medium][Outdated State] _removeSigner incorrectly updates signerCount and safe threshold

Summary

_removeSigner can be called whenever a signer is no longer valid to remove an invalid signer. However, under certain situations, removeSigner incorrectly reduces the number of signerCount and sets the threshold incorrectly.

Vulnerability Detail

_removeSigner uses the code snippet below to decide if the number of signerCount should be reduced:

        if (validSignerCount == currentSignerCount) {
            newSignerCount = currentSignerCount;
        } else {
            newSignerCount = currentSignerCount - 1;
        }

If first clause is supposed to be activated when validSignerCount and currentSignerCount are still in sync, and we want to remove an invalid signer. The second clause is for when we need to identify a previously active signer which is inactive now and want to remove it. However, it does not take into account if a previously in-active signer became active. In the scenario described below, the signerCount would be updated incorrectly:

(1) Lets imagine there are 5 signers where 0, 1 and 2 are active while 3 and 4 are inactive, the current signerCount = 3
(2) In case number 3 regains its hat, it will become active again
(3) If we want to delete signer 4 from the owners' list, the _removeSigner function will go through the signers and find 4 valid signers, since there were previously 3 signers, validSignerCount == currentSignerCount would be false.
(4) In this case, while the number of validSingerCount increased, the _removeSigner reduces one.

Impact

This can make the signerCount and safe threshold to update incorrectly which can cause further problems, such as incorrect number of signatures needed.

https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L387

Code Snippet

No code snippet provided

Tool used

Manual Review

Recommendation

Check if the number of validSignerCount decreased instead of checking equality:

@line 387 HatsSignerGateBase
- if (validSignerCount == currentSignerCount) {
+ if (validSignerCount >= currentSignerCount) {
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Mar 12, 2023
@spengrah spengrah added HSG Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 22, 2023
@spengrah
Copy link

This is another issue that can be avoided by using a dynamic getSignerCount instead of relying on the signerCount state variable.

cc @zobront

@spengrah
Copy link

@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 29, 2023
@MLON33
Copy link

MLON33 commented Apr 13, 2023

zobront added "Fix Approved" label

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Fix Approved Has Duplicates A valid issue with 1+ other issues describing the same vulnerability HSG Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Development

No branches or pull requests

4 participants