Open sherlock-admin opened 1 year ago
zobront clarified 124 was previously duped to 41, but was separated because it didn't accurately express the High severity exploit.
zobront added "Fix Approved" label
Fix added by spengrah for reference: https://github.com/Hats-Protocol/hats-zodiac/pull/13
unforgiven
high
attacker can perform malicious transactions in the safe because reentrancy is not implemented correctly in the checkTransaction() and checkAfterExecution() function in HSG
Summary
to prevent reentrancy during the safe's
execTransaction()
function call code use_guardEntries
and increase it in thecheckTransaction()
and decrease it in thecheckAfterExecution()
. but the logic is wrong and code won't underflow in thecheckAfterExecution()
if attacker perform reentrancy during theexecTransaction()
Vulnerability Detail
This is some part of the
checkTransaction()
andcheckAfterExecution()
code:as you can see code increase the value of the
_guardEntries
in thecheckTransaction()
which is called before the transaction execution and decrease its value in thecheckAfterExecution
which is called after transaction execution. this won't protect against reentrancy during the safe'sexecTransaction()
call. attacker can perform this actions:safe.execTransaction(Transaction2)
.Tsafe.execTransaction(Transaction1)
code would first callcheckTransaction()
and would see the number of the signers is correct and then increase the value of the_guardEntiries
to 1 and then code in safe would execute the Transaction1 which would set the guard to 0x0 and execute the Transaction2 in safe.checkAfterExecution()
would get exeucted and would see that guard value is correct and would decrease the_guardEntiries
the attack is possible by changing the value of the
threshhold
in the safe. because code would perform two increase and one decrease during the reentrancy so the underflow won't happen.Impact
it's possible to set guard or threshold during the execTransaction() and execute another malicious transaction which resets guard and threshold
Code Snippet
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L507-L540
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L500-L503
https://github.com/safe-global/safe-contracts/blob/cb22537c89ea4187f4ad141ab2e1abf15b27416b/contracts/Safe.sol#L172-L174
Tool used
Manual Review
Recommendation
set the value of the guard to 1 and decrease in the
checkTransaction()
and increase in thecheckAfterExecution()
.