Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as primary issue
Informational. QA at best.
raymondfam marked the issue as duplicate of #398
alex-ppg marked the issue as not a duplicate
The Warden states that there is an inaccuracy in the supported chains specified by the Sponsor. The submission does not detail a chain compatibility but rather specifies that the Gnosis Safe system has not yet been deployed on Fantom meaning that a deployment of Brahma on that chain would not be correct.
The Fantom system has actually created an unofficial distribution of the Gnosis Safe system in their chain and additionally, the Brahma team is free to simply deploy the Gnosis Safe system there.
As such, this exhibit is ineligible for a reward given that it does not point out a chain compatibility issue.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/SafeDeployer.sol#L128 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/PolicyValidator.sol#L63 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ExecutorPlugin.sol#L90
Vulnerability details
Impact
Brahma contracts may not work on some chains as it was announced in the contest.
Proof of Concept
On the contest page there is a list of target chains where the protocol should work:
All of these chains should work with Gnosis Safe Wallets as there are a lot of calls to it at different core contracts, like ExecutorPlugin, SafeDeployer, PolicyValidator and etc.
However, Gnosis does not suppor Fantom chain at that moment: https://help.safe.global/en/articles/40795-supported-networks
So any calls at that chain will fail.
Tools Used
Manual review
Recommended Mitigation Steps
Consider checking supported chains before protocol deployment.
Assessed type
Context