Open hats-bug-reporter[bot] opened 2 days ago
Another Impact found,
The execTransactionOnBehalf
function calls checkSignatures
, which in turn calls checkNSignatures
. In Safe version 1.3.0, checkNSignatures
contains a bug. This issue has been fixed in the latest version of Safe contracts.
@alfredolopez80
@AresAudits
getPreviewModule
returns an incorrect next pointer as you mention?@alfredolopez80 ,
the issue is present in the version 1.3.0 of getModulesPaginated()
function. here the getmodulesPaginated()
function returns incorrect next module.can u please check the below test case
https://github.com/safe-global/safe-smart-account/commit/743af7f46728bb7018907a151ce649ebe4ffd142
This will pass the test which is not correct. await expect(await safe.getModulesPaginated(AddressOne, 1)).to.be.deep.equal([[user3.address], user2.address]) await expect(await safe.getModulesPaginated(user2.address, 1)).to.be.deep.equal([[user1.address], AddressOne])
same issue was found in the brahma contest ,which was then mitigated by updating to latest version
@alfredolopez80, let me know if you need any more information
Github username: -- Twitter username: -- Submission hash (on-chain): 0x7074de03867b7e8b3843e1dbfe5ce078e4c2f2b0ed6a3867f4da508818c1cda7 Severity: medium
Description: Description\
getPreviewModule()
function in theHelpers.sol
returns the25
modules.However, there is a bug in the external call tosafe.getModulesPaginated
. In the version of Safe contracts that Palmera is using (version 1.3.0
), thegetPreviewModules()
function returns an incorrect next pointer, resulting in incorrect data being returned. This issue has been fixed in newer versions of Safe contracts, but Palmera still uses version1.3.0
.Attack Scenario\
Attachments
https://github.com/safe-global/safe-smart-account/blob/13c0494aca15985023b40c159c94163a4847307d/CHANGELOG.md?plain=1#L202
Upgrade to a recent version of Safe.