Open hats-bug-reporter[bot] opened 1 week ago
Can you clarify that, because the safe.child Array storage the id's of safe, so if B is already called addSafe
method and add the new safe with id 1_000_000, in the loop of removeSafe
, is only a unique iteration additionally not 1 million?? so i don't understand the PoC?
Can you clarify that, because the safe.child Array storage the id's of safe, so if B is already called
addSafe
method and add the new safe with id 1_000_000, in the loop ofremoveSafe
, is only a unique iteration additionally not 1 million?? so i don't understand the PoC?
Hey, @alfredolopez80, sure I will explain
I have described that the exploiter could add 1_000_000 children by calling addSafe
1_000_000 times from different safes.
with IT'S ID FROM 1_000_000 addresses
That would make the iteration inside removeSafe
indefinitely large.
the addSafe
function includes a check with isLimitLevel
to ensure the super safe hasn't reached its depth tree limit:
// check if the superSafe Reached Depth Tree Limit
if (isLimitLevel(superSafeId)) {
revert Errors.TreeDepthLimitReached(depthTreeLimit[org]);
}
This prevents adding an excessive number of safes. ??
Hey, @batmanBinary
This check only ensures that the depth limit is not reached. Here the problem is that we add saves by width. Currently, one can add indefinitely siblings to safe with depth 1 for example.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x8f22a5576088f17cc9d92e7f2f7708511899d90445a9ccaa2db87c91912da884 Severity: medium
Description: Description\ Palmera module allow organizations to orchestrate different safes in hierarchy, where super safe can remove it's children. One problem here is that any arbitrary safe can become child of any
superSafeId
by callingaddSafe
. This will incrementsuperSafeOrgSafe.child
array. There is no limit on how many child a super safe can have (the limit is only for depth), but a child may have an unlimited amount of siblings. Now lets see how a safe is removed from an organization:We can notice that we have to find corresponding
safeId
in child array of the father and also changesuperSafe
property of all children of the removed safe. Now as this is very gas intensive operation, because it is reading/writing from/to storage in a loop, which an arbitrary user can increase indefinitely, it is a problem and potential DoS of removing a safe, because of OOG error. Attack Scenario\addSafe
with it's Id from 1_000_000 addresses and whenremoveSafe
transaction hits execution, it will try to make those 1_000_000 addresses children of A, but this would be a very large loop with guaranteed OOG error.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional) Implement a limit of
safe.child
array and check it when new safe is integrated.