c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
Closed c4-submissions closed 12 months ago
c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
1 year ago raymondfam marked the issue as primary issue
raymondfam
commented
1 year ago No loss of funds similar to an unbounded loop.
alex-ppg
commented
12 months ago The gas cost required to force the transaction to run out of gas is significant and the caller can simply utilize a different salt_ to start a fresh loop that would require the "attacker" to re-deploy all necessary wallets again. This scenario is unrealistic and as such, all relevant exhibits are invalid.
c4-judge
commented
12 months ago alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/a6424230052fc47c4215200c19a8eef9b07dfccc/contracts/src/core/SafeDeployer.sol#L219
Vulnerability details
Impact
There is a possibility of going into an infinite loop within the
_createSafefunction until out-of-gas.Proof of Concept
The condition
while (_safe == address(0))in_createSafefunction contains a do-while loop that continues as long as the _safe address remains zero. If theIGnosisProxyFactory.createProxyWithNoncefunction repeatedly fails due to reasons other than nonce conflicts, The _safe address will never be assigned a non-zero value, resulting in an infinite loop until out-of-gas. Point form explaination below.IGnosisProxyFactoryinterface._SAFE_CREATION_FAILURE_REASONor not due to nonce conflict, the _safe address wont be updated to non-zero value.while (_safe == address(0))is true and will lead into a infinite loop resulting to the function temporally.Tools Used
Manuel Review
Recommended Mitigation Steps
Implement a maximum retry count to limit the number of attempts to create a Gnosis Safe contract. Basically adding an additional condition to break the loop when the _safe address remains zero after the maximum number of retries.
Assessed type
Loop