Open hats-bug-reporter[bot] opened 1 week ago
is a valid issue @0xmahdirostami but definetely is not high!!
@alfredolopez80 , thank you yes this is not high, the impacts are as follows:
function addToList(address[] memory users)
, the new root must perform 50 separate transactions to remove each user from the list one by one.just remember, the scenario isn't just by chance, anyone could front-run, do changes and remove org.
Besides that, in regard to this issue and other issues like issue 3, safe wallets are not like EOA. For example, a safe wallet has 5 owners with threshold 4, 4 people sign and decide, so if the transaction reverts, or need aditional unnecessary steps, the impact is higher compare to normal EOA
I think it could be labeled as medium, “Gas griefing attacks (make users overpay for gas)”.
Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x78d66b6486d668178f5595fab64e6f76fb0ff5c60b75adaeaaebed8ed401deb8 Severity: high
Description: Description: When organizations are deleted, not all state information about them is completely removed. This can affect new users who register organizations with the same name. Some of these residual states include
allowFeature
,listed[org]
, andlistCount
.Impact: New users registering organizations with the same name as previously deleted organizations can inherit unwanted residual states, potentially causing functional and security issues.
Scenario:
addToList
and enables the denylist withenableDenylist
.Mitigation clear all storage varibale related to org in
removeOrg