Closed c4-submissions closed 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #16
alex-ppg marked the issue as not a duplicate
0xad1onchain (sponsor) acknowledged
As the relevant PR of the Gnosis Safe repository details, the misbehaviour arises:
next
pointer yielded by the functionThe relevant code of Brahma does not actually use the next
pointer, meaning that it is insecure despite the Gnosis Safe misbehaviour outlined. As such, this exhibit is invalid as no wrong data is returned by the function.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/ConsoleFallbackHandler.sol#L91-L96
Vulnerability details
Impact
In
ConsoleFallbackHandler
, you can callgetModules()
to return the first 10 modules:However, there is a bug in the external call
safe.getModulesPaginated
. In the version that Brahma is using of Safe contracts, version 1.3.0, the functionGnosisSafe.getModulesPaginated
returns the wrongnext
pointer, leading to wrong data being returned.This has been fixed in the newer versions of Safe contracts. Brahma still uses the old version 1.3.0
Tools Used
Manual Review
Recommended Mitigation Steps
Upgrade to a more recent version of Safe.
Assessed type
Context