search

hats-finance / Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be

Palmera hierarchical module
0 stars 1 forks source link

Unauthorized Access Control Due to Retained Root Role When Root Safe Exits and Joins New Org #76

Open hats-bug-reporter[bot] opened 3 days ago

hats-bug-reporter[bot] commented 3 days ago

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x4fa5f750c55d8c00ed572d0c417eb015d71cfca301caef739cb0d4beed582de9 Severity: high

Description: Description:

When a root safe exits an organization and becomes a member of a new organization, it retains the root role. This leads to unauthorized access as the contract assumes this safe is the root of the new organization. The relevant code snippet from _createOrgOrRoot assigns the ROOT_SAFE role to the root safe:

        /// Assign SUPER_SAFE Role + SAFE_ROOT Role
        RolesAuthority _authority = RolesAuthority(rolesAuthority);
        _authority.setUserRole(
            newRootSafe, uint8(DataTypes.Role.ROOT_SAFE), true
        );

Scenario:

  1. Safe A creates a new organization and becomes the root.
  2. Safe A exits this organization.
  3. Safe A is added as a member to a new organization.
  4. The contract incorrectly assumes Safe A is the root of the new organization due to the retained ROOT_SAFE role.

Impact:

Mitigation:

In the addSafe function, ensure that any existing ROOT_SAFE role is revoked before adding the safe to a new organization. The modified code should look like this:

@@ -379,6 +379,14 @@ contract PalmeraModule is Auth, Helpers {
         indexSafe[org].push(safeId);
         /// Give Role SuperSafe
         RolesAuthority _authority = RolesAuthority(rolesAuthority);
+        if (_authority.doesUserHaveRole(
+                    newSafe.safe, uint8(DataTypes.Role.ROOT_SAFE))
+            ) {
+                _authority.setUserRole(
+                    newSafe.safe, uint8(DataTypes.Role.ROOT_SAFE), false
+                );
+            }
         if (
             (

This ensures that the root role is properly revoked when the safe is added to a new organization, preventing unauthorized access.

alfredolopez80 commented 1 day ago

is an issue, good catch!!