search

code-423n4 / 2023-10-brahma-findings

8 stars 7 forks source link

Brahma conatracts may not work on some chains #143

Closed c4-submissions closed 10 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/SafeDeployer.sol#L128 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/PolicyValidator.sol#L63 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ExecutorPlugin.sol#L90

Vulnerability details

Impact

Brahma contracts may not work on some chains as it was announced in the contest.

Proof of Concept

On the contest page there is a list of target chains where the protocol should work:

  1. Ethereum
  2. Optimism
  3. Base
  4. Avalanche C Chan
  5. Polygon Mainnet
  6. Arbitrum
  7. Polygon zkEVM
  8. Binance Smart Chain
  9. Fantom

All of these chains should work with Gnosis Safe Wallets as there are a lot of calls to it at different core contracts, like ExecutorPlugin, SafeDeployer, PolicyValidator and etc.

However, Gnosis does not suppor Fantom chain at that moment: https://help.safe.global/en/articles/40795-supported-networks

So any calls at that chain will fail.

Tools Used

Manual review

Recommended Mitigation Steps

Consider checking supported chains before protocol deployment.

Assessed type

Context

c4-pre-sort commented 10 months ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as primary issue

raymondfam commented 10 months ago

Informational. QA at best.

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #398

c4-judge commented 10 months ago

alex-ppg marked the issue as not a duplicate

alex-ppg commented 10 months ago

The Warden states that there is an inaccuracy in the supported chains specified by the Sponsor. The submission does not detail a chain compatibility but rather specifies that the Gnosis Safe system has not yet been deployed on Fantom meaning that a deployment of Brahma on that chain would not be correct.

The Fantom system has actually created an unofficial distribution of the Gnosis Safe system in their chain and additionally, the Brahma team is free to simply deploy the Gnosis Safe system there.

As such, this exhibit is ineligible for a reward given that it does not point out a chain compatibility issue.

c4-judge commented 10 months ago

alex-ppg marked the issue as unsatisfactory: Out of scope