registerWallet in WalletRegistry missing access control
Proof of Concept
the wallet can be registered by calling registerWallet
/**
* @notice Registers a wallet
* @dev Can only be called by safe deployer or the wallet itself
*/
function registerWallet() external {
if (isWallet[msg.sender]) revert AlreadyRegistered();
if (subAccountToWallet[msg.sender] != address(0)) revert IsSubAccount();
isWallet[msg.sender] = true;
emit RegisterWallet(msg.sender);
}
as the comment suggest, the method should only be able to called by safe deployer or wallet itself
however, the check that if msg.sender is safe deployer is missing
anyone can register as wallet then call sensitive function such as updatePolicy from PolicyRegistry.sol
Tools Used
Manual Review
Recommended Mitigation Steps
add validation
if (msg.sender != AddressProviderService._getAuthorizedAddress(_SAFE_DEPLOYER_HASH)) revert InvalidSender();
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/registries/WalletRegistry.sol#L35
Vulnerability details
Impact
registerWallet in WalletRegistry missing access control
Proof of Concept
the wallet can be registered by calling registerWallet
as the comment suggest, the method should only be able to called by safe deployer or wallet itself
however, the check that if msg.sender is safe deployer is missing
anyone can register as wallet then call sensitive function such as updatePolicy from PolicyRegistry.sol
Tools Used
Manual Review
Recommended Mitigation Steps
add validation
Assessed type
Access Control