Increase the number of valid signers past maxSigners
Summary
The number of valid signers can be increased past maxSigners if users are added, their hats are toggled of so they are considered invalid signers, new signers are added reaching the maxSigners limit, and the hats of the previously inactive signers are toggled back on.
Vulnerability Detail
reconcileSignerCount() does not remove inactive owners from the underlying safe, it simply updates the threshold and the signerCount value.
New users can be added with respect to the maxSigners constraint after signers have been made invalid by toggling their hats off and calling reconcileSignerCount().
Once the hats of the inactive users are turned back on, the number of valid signers on the underlying safe will go above maxSigners and checks like if (currentSignerCount >= maxSigs) { revert ... } will revert.
Impact
The number of signers on the underlying safe may go above limits resulting in failing safe transaction / reconcileSignerCount() due to maxSigs checks.
cducrest-brainbot
high
Increase the number of valid signers past maxSigners
Summary
The number of valid signers can be increased past maxSigners if users are added, their hats are toggled of so they are considered invalid signers, new signers are added reaching the
maxSigners
limit, and the hats of the previously inactive signers are toggled back on.Vulnerability Detail
reconcileSignerCount()
does not remove inactive owners from the underlying safe, it simply updates the threshold and thesignerCount
value.New users can be added with respect to the
maxSigners
constraint after signers have been made invalid by toggling their hats off and callingreconcileSignerCount()
.Once the hats of the inactive users are turned back on, the number of valid signers on the underlying safe will go above
maxSigners
and checks likeif (currentSignerCount >= maxSigs) { revert ... }
will revert.Impact
The number of signers on the underlying safe may go above limits resulting in failing safe transaction /
reconcileSignerCount()
due to maxSigs checks.Code Snippet
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L181-L183
Tool used
Manual Review
Recommendation
Duplicate of #51