Closed c4-submissions closed 12 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #17
alex-ppg marked the issue as not a duplicate
As the salt_
is part of the hash of the actual nonce utilized for the Gnosis Safe deployment, it is indeed incorporated into the Gnosis Safe's address generation mechanism. As such, this exhibit is invalid.
alex-ppg marked the issue as unsatisfactory: Invalid
Thank you @alex-ppg for the clarity, I clearly understand now.
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L219-L245 https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L253-L255 https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L219-L245 https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L253-L255
Vulnerability details
Impact
The salt provided for account creation is only used for nonce generation. An attacker could pre-compute addresses for a victim's safe owners and front-run deployment. The salt should also be incorporated into the address generation.
Proof of Concept
The salt usage for nonce generation in the
_createSafe
function: https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L219-L245https://github.com/code-423n4/2023-10-brahma/blob/c217699448ffd7ec0253472bf0d156e52d45ca71/contracts/src/core/SafeDeployer.sol#L253-L255
As you can see, the
_salt
is only used as an input to generate thenonce
. It is not incorporated into the final safe address itself.This allows an attacker to pre-compute addresses by brute forcing salts offline, then deploying safes using those salts to claim the pre-computed addresses with victims' owners.
The use of salt can be exploited. Here is why:
The key functions involved in safe creation are
_createSafe
and_genNonce
:As you can see, the
_salt
provided by the caller is only used as an input to generate thenonce
. Thenonce
is then passed to the ProxyFactory'screateProxyWithNonce
to deploy the safe contract itself.The
_salt
does not directly affect the generated safe address - it is only used for the nonce.This allows an attacker to pre-compute safe addresses for a victim's owner list by brute forcing different
_salt
values offline to generate the correspondingnonce
s and addresses.For example:
This attack works because the
_salt
does not sufficiently participate in generating the final safe address - it only affects the nonce.Victim has safe owners [A, B, C] which they will use to deploy a safe.
Attacker learns these owners will be used.
Attacker writes a script that:
Iterates through 1 trillion random 32 byte salt values S1, S2..., S1trillion
For each salt Si:
Calls
_genNonce(keccak256(encode([A, B, C])), Si)
Stores the resulting nonce Ni
Calculates the safe address Ai that would result from
createProxyWithNonce(nonce = Ni)
This creates a mapping of (Si -> Ai) for 1 trillion salts.
When the victim deploys their real safe with salt S1million, the attacker looks up the pre-computed address A1million and deploys it first.
This concrete example demonstrates how an attacker could realistically pre-compute 1 trillion+ addresses offline by brute forcing salts. They could then front-run the victim's real deployment by looking up the address for their salt.
Tools Used
Manual
Recommended Mitigation Steps
_salt
should be included in the address generation. For example, by passing it tocreate2
:This incorporates the caller's salt into the final safe address in a way that can't be brute forced.
Assessed type
Invalid Validation