Closed c4-submissions closed 12 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as primary issue
These are not low-level calls.
The referenced interaction is actually intended and conforms to the Gnosis Safe specification; the ExecutorPlugin
simply behaves as a module of the Gnosis Safe.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/ExecutorPlugin.sol#L86-L98 https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/ExecutorPlugin.sol#L90-L93
Vulnerability details
Impact
Module execution is done via a low-level call. This bypasses the Safe's built-in validations.
Proof of Concept
The low-level call happens in the _executeTxnAsModule function
Specifically on.
This bypasses Gnosis Safe's standard transaction workflow which includes:
Because
_executeTxnAsModule
directly callsexecTransactionFromModule
, these protections are skipped.This exposes several risks.
Ultimately this could lead to loss of funds due to the circumvention of key Gnosis Safe checks designed to prevent unauthorized or invalid transactions.
Safer approach would be to use the official transaction workflow:
submitTransaction
to add to execution queueapproveHash
to record approvalsexecuteTransaction
to finalize based on approvalsThis would enforce all the Gnosis Safe's validity and authorization checks as designed.
The low-level call by
_executeTxnAsModule
bypasses critical Safe protections that could lead to transaction abuse. But Using the standard workflow would be aligned with Safe's security model.Tools Used
Manual Review VsCode
Recommended Mitigation Steps
Should execute through the official Safe transaction flow instead.
Assessed type
call/delegatecall