Open hats-bug-reporter[bot] opened 1 week ago
only a small clarification this issue only apply to execTransactionOnBehalf
, because the addOwnerWithThreshold
and removeOwner
is controller by Palmera Roles, through modifier requiresAuth
you can check here: https://github.com/hats-finance/Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be/blob/1ac35880b5d45154267788e2db548eaaae0beaa0/src/PalmeraRoles.sol#L81
the rest, we need to analyse this more deep!!
@alfredolopez80 yes, thank you. The note comment is wrong. actually this issue is about execTransactionOnBehalf, allowing lead with SAFE_LEAD_MODIFY_OWNERS_ONLY role have access control on it.
Good catch.
Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x7d4876c32195c1fd708d9f45457a3dc78a642b77579a1b97e9ee8c71a7044077 Severity: high
Description:
Title
Insufficient Access Control in
execTransactionOnBehalf
Due to Broad Lead Role CheckDescription: In the
execTransactionOnBehalf
function, there is a check to bypass the signature verification if the caller is a Safe Lead. However, this check does not distinguish between the different Safe Lead roles (SAFE_LEAD
,SAFE_LEAD_EXEC_ON_BEHALF_ONLY
, andSAFE_LEAD_MODIFY_OWNERS_ONLY
). The current implementation allows any lead role to bypass the signature check, which leads to insufficient access control.Impact: Insufficient access control, allowing users with any lead role to bypass signature verification and execute transactions on behalf of the safe.
Proof of Concept (PoC):
Consider the
execTransactionOnBehalf
function:The
isSafeLead
function only checks for the general_safe.lead
:The
setRole
function updates_safe.lead
for all three lead roles:Mitigation: Ensure that the
execTransactionOnBehalf
function checks specifically for theSAFE_LEAD_EXEC_ON_BEHALF_ONLY
role before bypassing the signature verification. This can be achieved by modifying the role-checking logic.note: the same issue is on functions related to owner