Open hats-bug-reporter[bot] opened 3 days ago
@rotcivegaf, several point here:
SafeLead
, the only thing that changes if the caller is a SafeLead
is that there is no prior check to sign!! , is the only thing, additionally that is the reason why the nonce increment is done just before calling the execTransactionFromModule
so that the nonce is incremented regardless of who calls the methodtargetSafe
criticisms of the organization !!, therefore to carry out this attack the RootSafe must be involved, which would mean that the highest hierarchical role of the organization would be compromised and therefore it cannot be avoided!!!?
Github username: @Rotcivegaf Twitter username: -- Submission hash (on-chain): 0x0980eb3f84be5c25258d06c0e6d2e683bfd7a11574107210ec6e94a4a02bf301 Severity: high
Description:
Description
In the function
execTransactionOnBehalf
thenonce
signature of theorg
is incremented always even when it is a call from theSafeLead
The problem is that if signatures from the owners were given to approve transactions and the
SafeLead
executes a transaction before execute this transactions, the transactions of the signatures will revert because the nonce will have been increased.Attack Scenario
On the one hand, the owners sign a sequence of 3 incremental nonce transactions [1, 2, 3], of these transactions one is executed, at that moment the
SafeLead
sends a transaction, then invalidates the signature of the transaction withnonce
2 since the nonce was incremented, finally the transaction with nonce 3 can be executed but the one with nonce 2 cannot, causing the transaction with nonce 2 to be skipped.Another possible scenario is that the
SafeLead
can generate a DoS to the owners that sign transactions, because when theSafeLead
sees a transaction with the owners' signatures it frontrun it by sending a transaction before it causing thenonce
to increase and invalidate the signatures.Recommendation
Attachments
PoC
https://github.com/hats-finance/Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be/blob/dfd821e2fd7825c66c079c19be9460238f6e045a/src/PalmeraModule.sol#L180
Add this test case to test/ExecTransactionOnBehalf.t.sol file: