code-423n4 / 2023-10-brahma-findings

8 stars 7 forks source link

QA Report #424

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

See the markdown file with the details of this report here.

c4-pre-sort commented 1 year ago

raymondfam marked the issue as sufficient quality report

alex-ppg commented 1 year ago

Decent report with well-elaborated findings. L-01 may be a design decision (i.e. a critical update is needed due to a vulnerability and thus SubAccount implementations are forced to update).

c4-judge commented 1 year ago

alex-ppg marked the issue as grade-a

0xad1onchain commented 1 year ago

Thanks for the report. I agree with all Non Critical findings L-01: SafeModerator and ConsoleFallbackHandler can only be updated by governance and maybe done in extreme scenarios. Only registries are kept immutable because they hold state L-02: While I totally understand your point that attacker deployed the same bytecode at the deterministic CREATE2 address, for some reason safe changed their safe deployer implementation and removed the initializer as a part of address determination, leading us to question if there is a possible exploit we chose to keep it safe and make sure we use an address that we deploy

c4-sponsor commented 1 year ago

0xad1onchain (sponsor) acknowledged

c4-judge commented 1 year ago

alex-ppg marked the issue as selected for report