Open hats-bug-reporter[bot] opened 1 week ago
Non-Issue, @0xRizwan this is not a exploit is a expected behavior, because we have a SAFE_LEAD role (https://github.com/hats-finance/Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be/blob/1ac35880b5d45154267788e2db548eaaae0beaa0/src/libraries/DataTypes.sol#L11) inclusive a SAFE_LEAD_EXEC_ON_BEHALF_ONLY (https://github.com/hats-finance/Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be/blob/1ac35880b5d45154267788e2db548eaaae0beaa0/src/libraries/DataTypes.sol#L12)
and exit the posibility the SAFE_LEAD will be a Safe or EOA, so we can't verify the signature if is a SAFE_LEAD or SAFE_LEAD_EXEC_ON_BEHALF_ONLY
is an expected behavior and not a issue!!
Github username: -- Twitter username: -- Submission hash (on-chain): 0x8297b262e69dede5366403363435ffd277e6e2a4fc8f45136ed5f183b7e66b08 Severity: high
Description: Description\ The
execTransactionOnBehalf
function in thePalmeraModule.sol
allows an address to execute a transaction on behalf of another address if it has the necessary authority, verified by signatures. However, there is a significant issue with the implementation that allows thesafeLead
to bypass the signature verification checks.Impact
This vulnerability allows the
safeLead
to call theexecTransactionOnBehalf
function with any value they want, potentially draining thetargetSafe
. Since thesafeLead
can execute transactions without the signature verification that is required for other callers, this creates a serious security risk. ThesafeLead
can unilaterally execute transactions and transfer funds, leading to unauthorized access and possible loss of assets.Attack Scenario\
Attack Scenario: Exploiting
execTransactionOnBehalf
to DraintargetSafe
In this attack scenario, the attacker exploits the
execTransactionOnBehalf
function to drain all the Ether held by thetargetSafe
. The attack leverages the fact that thesafeLead
can bypass signature verification checks, allowing unauthorized transactions to be executed.Attacker Contract
The attacker's contract includes a
receive()
fallback function that only receives native currency:Proof of Concept
Here is the full attack scenario implemented in Solidity:
Attachments
Proof of Concept (PoC) File
Revised Code File
Files: