Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #71
alex-ppg marked the issue as not a duplicate
If the threshold parameter of the safe is altered, its initializer will also be affected meaning that the Gnosis Safe will be deployed at a different address than expected. As such, it is not possible to deploy a configured safe of n-out-of-m
security in chain A to chain B at the same address using a 1-out-of-m
configuration.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/SafeDeployer.sol#L47-L71 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/SafeDeployer.sol#L253-L255
Vulnerability details
Impact
The same order of
_owners
addresses lets generate the same console address on all chains. But any owner from the list can deploy console accounts on other chains with_threshold
parameter equals1
and then change owners in these accounts, i.e. capture these addresses. Another problem is that any user can deploy console accounts on other chains with_threshold == _owners.length
. So to reconfigure these accounts it is necessary to have signatures from all owners from the list, but this is not always possible (compromising, dismissals, etc.)Proof of Concept
It is enough to use the same
_salt
and the same_owners
(in the same order) to to generate same console address on all chains with thedeployConsoleAccount
function of theSafeDeployer
contract:The
_salt
and_owners
parameters are used fornonce
calculation:Then the
nonce
is used for a new Gnosis Safe creationAlso
_owners
parameter with_threshold
parameter are used for the console account setup in the_setupConsoleAccount
. The_threshold
parameter is very important for a multisig but it is not included in thenonce
. So new console accounts on other chains can be deployed with different_threshold
s. This lets any owner from the initial list capture the addresses on other chains by deploying console accounts with_threshold
parameter equals1
and removing other owners. This issue can be also exploited by any user with different aims and unexpected consequences.Tools Used
Manual review
Recommended Mitigation Steps
Consider using the
_threshold
parameter at thenonce
calculation in addition to_owners
for a new Gnosis Safe creation.Assessed type
Other