Closed sherlock-admin closed 1 year ago
Escalate for 10 USDC
This is not a duplicate of #107 .
currentSignerCount < validSignerCount
.When you look at my scenario you can see it is a different one: currentSignerCount=1, owners.length=2, validSignerCount=0, targetTreshold=1
. In fact currentSignerCount > validSignerCount
.
On the other hand I show how this check fails: https://github.com/safe-global/safe-contracts/blob/cb22537c89ea4187f4ad141ab2e1abf15b27416b/contracts/base/OwnerManager.sol#L123
Also my issue cannot be solved by just calling reconcileSignerCount
so it is not just a bad UX experience.
Escalate for 10 USDC
This is not a duplicate of #107 .
107 describes an issue when
currentSignerCount < validSignerCount
.When you look at my scenario you can see it is a different one:
currentSignerCount=1, owners.length=2, validSignerCount=0, targetTreshold=1
. In factcurrentSignerCount > validSignerCount
.107 deals with how his issue can cause an underflow in the signer count.
On the other hand I show how this check fails: https://github.com/safe-global/safe-contracts/blob/cb22537c89ea4187f4ad141ab2e1abf15b27416b/contracts/base/OwnerManager.sol#L123
Also my issue cannot be solved by just calling
reconcileSignerCount
so it is not just a bad UX experience.
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation accepted
Not a duplicate of #107
But not a valid high/medium on its own, as when validSignerCount == 0
& the number of owners is equal to or greater than the threshold, claimSigner would swap the invalidsigner
, or claimSigner would add one valid one, and then the invalid one could be removed with removeSigner.
Escalation accepted
Not a duplicate of #107 But not a valid high/medium on its own, as when
validSignerCount == 0
& the number of owners is equal to or greater than the threshold, claimSigner would swap theinvalidsigner
, or claimSigner would add one valid one, and then the invalid one could be removed with removeSigner.
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
roguereddwarf
medium
HatsSignerGateBase: _removeSigner function may revert so it is not possible to remove a signer
Summary
If the
HatsSignerGateBase._removeSigner
function is called under certain conditions, it will be attempted to set the threshold in the Safe to zero which reverts.So it is not possible to remove a signer that is invalid.
Vulnerability Detail
The scenario is the following:
The
_removeSigner
function is called under these conditions:currentSignerCount=1
,owners.length=2
,validSignerCount=0
,targetTreshold=1
This means the
else
block is entered. LinkWe execute
newSignerCount = currentSignerCount - 1
. SonewSignerCount = 0
.Also,
newSignerCount <= targetThreshold
, sonewThreshold = newSignerCount
.So we set the threshold in the Safe to
0
.We can see in the code of the Safe that this will eventually revert: Link
Impact
Under certain conditions the
_removeSigner
function reverts. So it is not possible to remove a signer that has become invalid. So the signer can persist in the contract and possibly become valid again later even though he should have been removed.Code Snippet
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L365-L416
Tool used
Manual Review
Recommendation
The
threshold
should not be changed to0
. So I recommend implementing a check to ensurenewThreshold
is above0
.Fix: