Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #39
alex-ppg marked the issue as not a duplicate
The Warden talks about a Singleton
which does not apply to the Brahma system. Swapping the "address" of the Gnosis Safe is not possible.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/TransactionValidator.sol#L197
Vulnerability details
Bug Description
Operators
,executors
, or theMain Console account
can execute transactions on behalf of aSubAccount
.SubAccounts
must have an enabledSafeModerator
guard, which checks whether the guard and handler have not been disabled or updated, and whether the owner console, acting as a module, has not been disabled. But there is no check to verify whether the user has changed the current singleton to another, malicious one.Proof-of-Concept
Anyone from the list mentioned above can send a transaction to change the Singleton (
GnosisSafe
implementation).For operators and executors, the TRUSTED VALIDATOR should allow this.
Any of these actors can set the address of the
GnosisSafe
implementation to a malicious one. For example, the internal functionTransactionValidator._checkSubAccountSecurityConfig
, which calls theIGnosisSafe.isModuleEnabled
function, may return an invalid value. As a result, the owner console as a module can be disabled, butisModuleEnabled
will still return 'true:Impact
Since there is no check in place to prevent
subAccounts
from altering theSingleton
, it is possible to set a malicious one and manipulate function calls on thesubAccount
. I understand that this can be done manually and bypass all security measures, but the protocol itself does not verify this, as it does withguard, fallback handler, and module
.Tools Used
Manual
Recommended Mitigation Steps
Consider validating whether the address of the
Gnosis Safe
implementation has not changed to a malicious one using theSafeModerator
guard within the_checkSubAccountSecurityConfig
function.Assessed type
Invalid Validation