Open hats-bug-reporter[bot] opened 1 week ago
Non-issue, i guess not clear about how _seekMember will iterate into the leaf of the superSafeId need to evalute, the account you need to verify if this superSafeId reach the depthTreeLimit of the org, and this iterate if from the more down childSafe of the Tree, to the RootSafe, and when you check the superSafeId
you check start in the level 1, and before the while you check if you found the RootSafe or not!!, if not your start to check the level to and go on!!
so i guess is not clear how _seekMember
worked!!, but @0xRizwan and @0xmahdirostami take a look and let me your comments
Additional i guess is important to clarify the safe id not neccesary to be consecutive, for be part of the same tree!! and the level analysis into this leaves if from the down to the top!!
RootSafe | SuperSafe |
---|
SubSuperSafe
|
SubSubSuperSfe
|
.....
|
ChildSafe (in your use case the new safe to try to join the OnChain Org)
Github username: -- Twitter username: -- Submission hash (on-chain): 0x2039e8f4a354ad23a8b282996342b2492ad99fee12c71b692034926ce6c23a18 Severity: medium
Description:
Description
inside function
isLimitLevel
function_seekMember
is called:a
bool
will be returned, essentially validating if thedepthTreeLimit
has been reached.Inside this function the
level
starts counting from 2, it loops for everysafe
from an[org
].Now lets assume the following scenario:
depthTreeLimit = 10
org
isLimitLevel
is called which calls_seekMember
_seekMember
will iteratesafes
amount of timeslevel = 2
, after 9 iterations this will be11
return
statement insideisLimitLevel
will be true because:return level >= depthTreeLimit[org];
=
insidereturn level >= depthTreeLimit[org];
.now inside
addSafe
the following if statement will trigger:The problem is that the limit has been reached because
level
is set to 2 inside_seekMember
, which is checked againstdepthTreeLimit[org
which does not start at 2.Nowhere in the contract is the
depthTreeLimit
hardcoded to start at 2.Ultimately
addSafe
will trigger the TreeDepthLimitReached while in reality it has not.Tools Used
Manual Review
Recommendation
Keep consistency with the start of the indexes, make sure the variable
level
is checked against also starts at the same index.