Open hats-bug-reporter[bot] opened 5 days ago
The scenario proposed would only affect the targetSafe, not the rest of the organization, given that if the command is executed, this safe can be removed (removeSafe
) from the organization without disconnecting (disconnectSafe
) and leaving it in halt, so that there is no risk of any safe connecting to this MaliciousContract
, and in all cases not breaking the organization’s contract modules and halting all transactions. as you mention!!
Github username: -- Twitter username: -- Submission hash (on-chain): 0xcfd1445fe32e3cd61570441481b6861a6508f4873ceb476920c1d26d034eb8a2 Severity: high
Description: Description\ The
execTransactionOnBehalf
function in thePalmeraModule
contract allows certain roles (Safe Lead, Super Safe, Root Safe) to execute transactions on behalf. However, there is a potential vulnerability that can be exploited if theto
address is malicious. Specifically, if the operation is set to Enum.Operation.DelegateCall, a malicious contract at the to address can execute a selfdestruct operation, leading to the destruction of the targetSafe contract. This can severely disrupt the organization by breaking contract modules and halting all transactions.this occur when the one of the caller who is being removed from their position use this exploit and destory the contracts/org.
Attack Scenario\
Internal Execution: The execTransactionFromModule function internally calls the execute function:
Delegate Call Vulnerability: operation is Enum.Operation.DelegateCall, the delegatecall opcode is used. delegatecall executes code from the to address in the context of the calling contract (targetSafe). If the to address is a malicious contract containing a selfdestruct operation, it can destroy the targetSafe contract.
Potential Exploit Scenario: An authorized caller (e.g., Safe Lead, Super Safe, Root Safe) with malicious intent or a compromised account can call execTransactionOnBehalf with a malicious to address. This can occur when one of the owners or a caller who is being removed from their position front-runs the transaction and destroys the targetSafe contract. The malicious contract at the to address executes a selfdestruct operation via delegatecall. This results in the destruction of the targetSafe contract, breaking the organization’s contract modules and halting all transactions.
Example Exploit Code A malicious contract could look like this:
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
To mitigate this vulnerability, additional checks should be implemented to ensure the to address is not malicious. Specifically, avoid using delegatecall with untrusted addresses