Open hats-bug-reporter[bot] opened 4 days ago
Ok, first point @rotcivegaf this is not a issue because is a expected behavior, that's why is because we work with the safe signing flow, if we not permit a any EOA, can call a executionOnBehalf with the rights signatures (as you mention), the user of the RootSafe/SuperSafe, need to signing twice the transaction, and this is very bad UI/UX experience, so we decide to follow the Safe Approach and permit, if the EOA have the right signature right rigth arguments, can execute and pay gas fee of the executuon On Behalf!!!
About the period of valid signature, we recomend our user handle this with ERC4337 control the valid signature with timestamp (Valid After/ Valid until)) with module ERC-4337 of Safe, we think is the better approach at the moment.
Github username: @Rotcivegaf Twitter username: rotcivegaf Submission hash (on-chain): 0x2689978b33a5ee4ff3140655311c842ed2a4825a3e4cff3f099bb9d1dce6aff9 Severity: high
Description:
Description
The function
execTransactionOnBehalf
of the contract PalmeraModule:These arguments make it possible that the signatures of the revert calls to
execTransactionOnBehalf
remain valid and public and an attacker could use these signatures to send the same transaction generating some benefit for the attackerAttack Scenario
execTransactionOnBehalf
with the rights owners signatures to make a swap in uniswap(buy 1 ETH for 3400 USD)execTransactionOnBehalf
with the price of 1 ETH for 3400 USD, and call itRecommendation
As the behavior of
`execTransactionFromModule
of ModuleManager.sol of Safe if the call is not success, it should not revert:Attachments
PoC
PalmeraModule.sol#L183-L186: