017.md

Proper Champagne Raven

High

The same signature can be use multiple times to pass the threshold

Summary

In the _countValidSignatures function, a malicious signer can send the same signature multiple times in the signatures parameter.

Root Cause

In HatsSignerGate.sol:656-683, there is a missing check that the signature has already been used.

The function is inspired of the one from the safe wallet to validate transactions but safe function has this check:

if (currentOwner <= lastOwner || owners[currentOwner] == address(0) || currentOwner == SENTINEL_OWNERS)
                revertWithError("GS026");

Internal pre-conditions

No response

External pre-conditions

1. The malicious signer should be a valid owner. The issue is that only one valid signature is enough to pass the threshold.

Attack Path

1. A valid signer send signatures with the same signature multiple times as signatures parameters.
2. The checkTransaction calls the internal _countValidSignatures function.
3. The function does not revert, count the same signature multiple times as valid and a malicious transaction is validated.

Impact

A malicious signer can bypass the threshold security.

PoC

No response

Mitigation

Create a mapping variable checking if the signer has already sign the message during the call.

mapping(bytes32 => bool) hasSigned;

And in the loop something like this:

      if (isValidSigner(currentOwner) && !hasSigned[keccak256(abi.encode(currentOwner, dataHash))]) {
        // shouldn't overflow given reasonable sigCount
        unchecked {
          ++validSigCount;
        }
        hasSigned[keccak256(abi.encode(currentOwner, dataHash))] = true;
      }