Closed c4-bot-8 closed 4 months ago
Picodes marked the issue as duplicate of #802
Picodes marked the issue as not a duplicate
Picodes marked the issue as duplicate of #838
Picodes marked the issue as satisfactory
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/ManagedWallet.sol#L68
Vulnerability details
A proposal to change the main and confirmation wallet addresses of a ManagedWallet can only be made if the current value of
proposedMainWallet
isaddress(0)
, i.e. no pending proposal exists (https://github.com/code-423n4/2024-01-salty/blob/main/src/ManagedWallet.sol#L49).A proposal is accepted or rejected by sending Ether to the ManagedWallet from the current confirmation wallet. If the Ether amount sent is less than 0.05 Ether, the proposal is rejected. However, rejecting the proposal does not reset
proposedMainWallet
toaddress(0)
, so no future proposals can be made.Impact
After a proposal to change the main and confirmation wallet addresses of a ManagedWallet has been rejected, no further proposals to change the wallet can be made, except if the proposal is accepted and then executed (which is still possible after rejecting it).
Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/main/src/ManagedWallet.sol#L41-L55:
Proposing new addresses via
proposeWallets()
is only possible ifproposedMainWallet == address(0)
and this setsproposedMainWallet
:https://github.com/code-423n4/2024-01-salty/blob/main/src/ManagedWallet.sol#L58-L69:
Rejecting the proposal sets the
activeTimelock
totype(uint256).max
sochangeWallets()
cannot be called to execute the change, but doesn't resetproposedMainWallet
, prohibiting future proposals:Recommended Mitigation Steps
Set
proposedMainWallet
toaddress(0)
in theelse
branch inreceive()
.Assessed type
Invalid Validation