Closed c4-submissions closed 10 months ago
Once main account owners change the fallback handler or guard on subaccount, operators and executors automatically lose access to subaccount to prevent any malicious activities by the operators or executors in absence of Validation. To restore access, main console can set the guard and handler back to console approved.
raymondfam marked the issue as primary issue
raymondfam marked the issue as low quality report
As the Sponsor has specified, the described behaviour of this and all relevant issues is desirable.
In detail:
As a result of the above, all relevant issues are considered invalid.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/ExecutorPlugin.sol#L73-L74 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/TransactionValidator.sol#L133 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/SafeModerator.sol#L71-L72 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/TransactionValidator.sol#L106 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/TransactionValidator.sol#L186-L197
Vulnerability details
Impact
If the
Main Console
resets theguard
, resets thefallback handler
, or disables itself as amodule
of asub-account
, theexecutors
will permanently cease executing any transactions on thatsub-account
.And also if the
Main Console
resets thefallback handler
or disables itself as amodule
of asub-account
, theoperators
will not be able to execute any transactions on thesub-account
.Proof of Concept
I discovered the following three sentences in the
README
file.I believe this indicates that the
main console
can reset theguard
, reset thefallback handler
, or disable itself as amodule
of asub-account
throughmodule transactions
.Let's imagine that the
main console
reset the guard of thesub-account
. And then, a particularexecutor
initiates a valid transaction on thatsub-account
and calls theexecuteTransaction
function of theExecutorPlugin
. Everytransaction
conducted through theExecutorPlugin
should require a security configuration check after the transaction is completed.And all transactions will be reverted because this
sub-account
lacks aguard
.You can add the following test to the
test/branch-trees/SafeModerator/SafeModerator.misc.t.sol
to verify that the main console can reset the guard of a sub-account.Tools Used
Recommended Mitigation Steps
The fix will be complex, and there are several potential approaches. The first option is to include checks in the
transactions
made byexecutors
oroperators
of thesub-account
to ensure they are nottransactions
for resetting theguard
, resetting thefallback handler
, or disabling themain console
(the owner of thatsub-account
) as amodule
.The second approach entails introducing a
new contract
responsible for maintaining the status ofsub-accounts
. Before executingtransactions
initiated byexecutors
oroperators
, we would check theguard
,fallback handler
, andmodule
of thatsub-account
and update thenew contract
accordingly. In the security configuration check after executing atransaction
, we would compare the previous states with the current states to ensure security.Assessed type
DoS