Closed c4-submissions closed 10 months ago
Invalid, all this function does is provide calldata to execute the operation, not actually execute it
Also the given calldata can only be executed by main console account and would revert if any one else executes it
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #144
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as primary issue
As the Sponsor has specified, this function simply crafts an ABI-encoded payload and does not really execute anything. Additionally, the relevant smart contract is out-of-scope per the official C4 contest scope.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/a6424230052fc47c4215200c19a8eef9b07dfccc/contracts/src/core/ConsoleOpBuilder.sol#L68
Vulnerability details
Impact
Everyone can disable policy of any brahama console account
if you look at the function
disablePolicyOnConsole
it designed to disable the policy and set guards to 0 which is important decision of any account but the problem is everyone can disable random people account cause there is No validation of caller at all at any kind.badactor can disable every accounts policy when they want and set the gnosis guards to 0 address
Proof of Concept
https://github.com/code-423n4/2023-10-brahma/blob/a6424230052fc47c4215200c19a8eef9b07dfccc/contracts/src/core/ConsoleOpBuilder.sol#L68
Tools Used
vscode
Recommended Mitigation Steps
Assessed type
Access Control