Open sherlock-admin opened 1 year ago
I don't believe this is a duplicate of #46, which deals with number of owners being increased by another module, while the present issue deals with owners being increased by the safe's signers. That means, however, that it be a duplicate of #118 and #170.
Addressed by https://github.com/Hats-Protocol/hats-zodiac/pull/5
@spengrah This blocks the specific path he used to get validSigners > maxSigners
, but are there any other paths to get signers into the safe (such as through Safe directly)?
If not, then most important is just to make sure there is zero way for that to happen through the contract and that invariant is rock solid. I can take another look too.
@zobront #5 makes two changes relevant to this issue:
reconcileSignerCount()
to update the valid signer count, instead tracking it dynamically via validSignerCount()
. This makes step 4 irrelevant, so even if there were a different way to get signers into the safe (which there is not), claimSigner()
would always "know" about the extra signer and therefore disallow extraneous claims.Since we've blocked owners from adding signers via a tx, and we've also blocked other modules from being added, the only way to add a new signer to the safe is via claimSigner()
. Crucially, if the number of safe owners is >= maxSigners
, instead of simply adding a new signer, claimSigner()
will replace an invalid signer with the new signer. Therefore, in combination with the changes described above, there is no possible way to have more than maxSigners
owners on the safe, and therefore no way to have more than maxSigners
valid signers.
Comment from zobront in Discord about this issue:
Confirmed, that logic seems rock solid. Good stuff.
Interpreting this as "Fix Approved" and adding a "Fix Approved" label on behalf of zobront.
roguereddwarf
medium
HatsSignerGate + MultiHatsSignerGate: more than maxSignatures can be claimed which leads to DOS in reconcileSignerCount
Summary
The
HatsSignerGate.claimSigner
andMultiHatsSignerGate.claimSigner
functions allow users to become signers.It is important that both functions do not allow that there exist more valid signers than
maxSigners
.This is because if there are more valid signers than
maxSigners
, any call toHatsSignerGateBase.reconcileSignerCount
reverts, which means that no transactions can be executed.The only possibility to resolve this is for a valid signer to give up his signer hat. No signer will voluntarily give up his signer hat. And it is wrong that a signer must give it up. Valid signers that have claimed before
maxSigners
was reached should not be affected by someone trying to become a signer and exceedingmaxSigners
. In other words the situation where one of the signers needs to give up his signer hat should have never occurred in the first place.Vulnerability Detail
Think of the following scenario:
maxSignatures=10
and there are 10 valid signersSafe.addOwnerWithThreshold
such that there are now 11 owners (still there are 10 valid signers)reconcileSignerCount
is called. So there are now 9 valid signers and 11 ownersreconcileSignerCount
is not called. So there are 11 owners and 10 valid signers. The HSG however still thinks there are 9 valid signers.When a new signer now calls
claimSigner
, all checks will pass and he will be swapped for the owner that is not a valid signer:So there are now 11 owners and 11 valid signers. This means when
reconcileSignerCount
is called, the following lines cause a revert:Impact
As mentioned before, we end up in a situation where one of the valid signers has to give up his signer hat in order for the HSG to become operable again.
So one of the valid signers that has rightfully claimed his spot as a signer may lose his privilege to sign transactions.
Code Snippet
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGate.sol#L36-L69
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/MultiHatsSignerGate.sol#L41-L81
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L183-L217
Tool used
Manual Review
Recommendation
The
HatsSignerGate.claimSigner
andMultiHatsSignerGate.claimSigner
functions should callreconcileSignerCount
such that they work with the correct amount of signers and the scenario described in this report cannot occur.