Dry Garnet Cobra
High
Insufficient signature validity checks result in unauthorized use of the Safe.
The _countValidSignatures function in HatsSignerGate can be bypassed by an attacker to authorize malicious transactions.
Consider the following two cases:
if (v == 0) {
// If v is 0 then it is a contract signature
// When handling contract signatures the address of the contract is encoded into r
currentOwner = address(uint160(uint256(r)));
}else if (v == 1) {
// If v is 1 then it is an approved hash
// When handling approved hashes the address of the approver is encoded into r
currentOwner = address(uint160(uint256(r)));
}Notice that the _countValidSignatures function will accept the currentOwner as the contents of the r parameter from the parsed signature array without validation.
This means an attacker can simply create an array of mock signatures comprised of only the public addresses of valid owners in order to masquerade as them, since neither the approved hash or contract signature is actually validated for authenticity.
- Admin authorizes HSG for their vault and uses a number of
registeredSignerHatsthat exceeds the signing threshold.
No response
- Attacker submits malicious payload using
signaturescalldata containing abi encodedregisteredSignerHatsaddresses which enter only thev == 0andv == 1cases.
Attackers can steal all funds from Safes that authorize the HSG.
No response
The specified addresses must be validated.
When validating contract signatures, use: https://github.com/safe-global/safe-smart-account/blob/c36bcab46578a442862d043e12a83fec41143dec/contracts/GnosisSafe.sol#L257C13-L286C14
When validating approved hashes, use: https://github.com/safe-global/safe-smart-account/blob/c36bcab46578a442862d043e12a83fec41143dec/contracts/GnosisSafe.sol#L286C15-L292C14