Organization with the same id can be created, which will override `depthTreeLimit` for previously created org

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x14f54acb58827004d6b18e40f5c80fcae35ec70e48db2b5a26738096fb82db52 Severity: medium

Description: Description\ When creating a org in PalmeraModule user has to provide orgName

    function registerOrg(string calldata orgName)
        external
        IsSafe(_msgSender())
        returns (uint256 safeId)
    {
        bytes32 name = keccak256(abi.encodePacked(orgName));
        address caller = _msgSender();
        safeId = _createOrgOrRoot(orgName, caller, caller);
        orgHash.push(name);
        // Setting level by Default
        depthTreeLimit[name] = 8;

        emit Events.OrganisationCreated(caller, name, orgName);
    }

_createOrgOrRoot hashes the name only if caller == newRootSafe. But if the caller is different, it tries to fetch it from getOrgHashBySafe(caller). This means that it is possible to create two organizations with the same name. Once hash is obtained from bytes32(keccak256(abi.encodePacked(name))) and other time from getOrgHashBySafe(caller). This will result in overriding depthTreeLimit for this name and adding the same name again inside orgHash Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[0xRizwan]

Invalid, since for creation of organization, both caller and newRootSafe would be always same.

        safeId = _createOrgOrRoot(orgName, caller, caller);

When caller and root safe is different, that condition is applicable in createRootSafe() function only.

[alfredolopez80]

agree @0xRizwan is invalid!!