Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #39
alex-ppg marked the issue as not a duplicate
In the case that the ExecutorPlugin
is not properly enabled as a module, the transaction will simply fail when attempting to perform the IGnosisSafe::execTransactionFromModule
function.
As such, no security concern can arise from this behaviour. Sub-accounts are meant to enable the ExecutorPlugin
on a need-to basis as it may not be required by all sub-accounts.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/TransactionValidator.sol#L181-L198
Vulnerability details
There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin
Impact
Can cause malfunctions if the user wants to execute tx via
ExecutorPlugin
on the sub-accountProof of Concept
If the user wants to execute tx on a sub-account via the
ExecutorPlugin
then, of course, theExecutorPlugin
as a module on the sub-account must be activated. The basis of the sub-account is Gnosif-Safe too, in which there is anenableModule
function whose function is to activate the module on the sub-account. But in this case that never happened.In this document it can be seen clearly how tx can be executed on sub-accounts via the
ExecutorPlugin
. ForExecutor
to make a transaction onSubAccount
viaExecutorPlugin
. Execution viaExecutorPlugin
executes in 3 steps;Executor
callsexecuteTransaction()
function onExecutorPlugin
enabled as module onSubAccount
. TheExecutorPlugin
validates that signerExecutor
is registered onExecutorRegistry
, then transfers the control toTransactionValidator
by callingvalidatePreExecutorTransaction()
which in turn transfers the control toPolicyValidator
by callingisPolicySignatureValid()
to check theTrusted Validator Signature
is valid and then returns the control back toExecutorPlugin
viaTransactionValidator
.ExecutorPlugin
executes transaction onSubAccount
as module.ExecutorPlugin
callsvalidatePostExecutorTransaction()
function onTransactionValidator
. to check thatSafeModerator
hasn't been removed as guard onSubAccount
andConsoleAccount
hasn't been removed as module onSubAccount
.Here is a very good document from the Brahma team.
Checking whether the module is active or not is in the
validatePostTransaction
function in theTransactionValidator.sol
contract, where this function calls the internal function_checkSubAccountSecurityConfig
In this function (line 197), what is checked is only whether the console account is active as a module or not, but it does not check whether the
ExecutorPlugin
is active as a module or not. If the transaction continues then unusual behavior may occur on the transaction.Tools Used
Manual review
Recommended Mitigation Steps
Check if the
ExecutorPlugin
module is enabled, revert if not.Assessed type
Error