Low-level call in `_executeTxnAsModule` bypasses Safe's built-in security checks.

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/ExecutorPlugin.sol#L86-L98 https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/ExecutorPlugin.sol#L90-L93

Vulnerability details

Impact

Module execution is done via a low-level call. This bypasses the Safe's built-in validations.

Proof of Concept

The low-level call happens in the _executeTxnAsModule function

function _executeTxnAsModule(address _account, Types.Executable memory _executable)
  internal 
  returns (bytes memory)
{

  (bool success, bytes memory txnResult) = IGnosisSafe(_account).execTransactionFromModuleReturnData(
    _executable.target,
    _executable.value,
    _executable.data,
    SafeHelper._parseOperationEnum(_executable.callType)  
  );

  ...

}

Specifically on.

IGnosisSafe(_account).execTransactionFromModuleReturnData(
  _executable.target,
  _executable.value,
  _executable.data,
  ...
)

This bypasses Gnosis Safe's standard transaction workflow which includes:

• Nonce checkpointing to prevent replay attacks
• Confirmation requirements checked before execution
• Checking module transaction guards like whitelist restrictions

Because _executeTxnAsModule directly calls execTransactionFromModule, these protections are skipped.

This exposes several risks.

• Transactions could be replayed by repeating nonces
• Insufficient approvals may still lead to execution
• Module restriction bypasses may be possible

Ultimately this could lead to loss of funds due to the circumvention of key Gnosis Safe checks designed to prevent unauthorized or invalid transactions.

Safer approach would be to use the official transaction workflow:

• submitTransaction to add to execution queue
• approveHash to record approvals
• executeTransaction to finalize based on approvals

This would enforce all the Gnosis Safe's validity and authorization checks as designed.

The low-level call by _executeTxnAsModule bypasses critical Safe protections that could lead to transaction abuse. But Using the standard workflow would be aligned with Safe's security model.

Tools Used

Manual Review VsCode

Recommended Mitigation Steps

Should execute through the official Safe transaction flow instead.

Assessed type

call/delegatecall

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as primary issue

[raymondfam]

These are not low-level calls.

[alex-ppg]

The referenced interaction is actually intended and conforms to the Gnosis Safe specification; the ExecutorPlugin simply behaves as a module of the Gnosis Safe.

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid