Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #39
alex-ppg marked the issue as not a duplicate
The Warden specifies functions in an out-of-scope contract.
Additionally, the ConsoleOpBuilder
contract is meant to be used as a utility that enables the generation of ABI-encoded payloads for submission to f.e. a Gnosis Safe multi-call.
It cannot directly influence how an arbitrary Gnosis Safe is configured as the payload would need to be approved by its signers and the relevant validation processes (i.e. PolicyValidator
).
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ConsoleOpBuilder.sol#L30 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ConsoleOpBuilder.sol#L68 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ConsoleOpBuilder.sol#L95 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ConsoleOpBuilder.sol#L149 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/registries/PolicyRegistry.sol#L66 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/registries/PolicyRegistry.sol#L35
Vulnerability details
Impact
Unverified Policy Activation in
ConsoleOpBuilder
updatePolicy
and_updatePolicy
function inPolicyRegistry.sol
around line 66 and 35.enablePolicyOnConsole
function is responsible for generating multicall bytecode to enable a policy on a Brahma console account.PolicyRegistry
before generating the bytecode.Proof of Concept
Exploiting the Unverified Policy Activation in
ConsoleOpBuilder
Target Function:
enablePolicyOnConsole
inConsoleOpBuilder.sol
(line 23).Attack Scenario:
enablePolicyOnConsole
function.enablePolicyOnConsole
function with a valid Brahma console account and their malicious policy's commit hash.Consequences:
Verification:
enablePolicyOnConsole
with a valid Brahma console account and an arbitrary, unregistered policy commit hash.Tools Used
VS Code
Recommended Mitigation Steps
For the vulnerability identified in the
enablePolicyOnConsole
function of theConsoleOpBuilder.sol
contract:Validate Policy Before Activation:
enablePolicyOnConsole
function to validate the policy's registration status in thePolicyRegistry
before generating the multicall bytecode.PolicyRegistry
contract that verifies if a given policy is registered.Access Control:
enablePolicyOnConsole
function to only trusted entities.msg.sender
against a list of authorized addresses.Rate Limiting:
Recommended to fix it:
// Modify the existing function that registers a policy (assuming such a function exists) function registerPolicy(bytes32 policyCommit) external { // Your existing logic for policy registration...
}
// Add a function to check if a policy is registered function isRegisteredPolicy(bytes32 policyCommit) external view returns (bool) { return isPolicyRegistered[policyCommit]; }
We're tracking registered policies in the PolicyRegistry. We're checking in the ConsoleOpBuilder if the policy being set is registered.
Issue Type: Improper Input Validation
Explanation:
Improper input validation refers to the absence of checks or validations for the inputs that a function or system receives. When a system doesn't validate or sanitize its inputs adequately, it can be susceptible to various types of attacks. In this specific context, the
enablePolicyOnConsole
function in theConsoleOpBuilder.sol
contract doesn't validate if the provided policy (input) is registered in thePolicyRegistry
before processing it.Consequences:
In the Broader Context:
Improper input validation is a common vulnerability in software development. It's especially critical in blockchain and smart contract development due to the immutable nature of deployed contracts. Once a vulnerability is exploited, it can't be easily rectified without updating the contract or, in some cases, performing a network fork.
Assessed type
Invalid Validation