Open sherlock-admin opened 1 year ago
I like the recommendation to add a function to check that HSG is can be safely wired up to an existing Safe.
Another approach could be to check in the factory that maxSigners >= hat.currentSupply
— or use the recommendation from #104 of ensuring that maxSigners > safe.getOwners()
— but this wouldn't completely solve it because more hats could be minted to existing signers between deployment and wiring up.
cc @zobront
@spengrah I agree that the check needs to be at the "wiring up" time and not earlier.
Re-adding the severity dispute tag since existing signers (who have full control over the safe prior to attaching HSG) would be both the ones attaching HSG in the first place and needing to renounce or be revoked if they made a mistake to attach. To me, this means that this is not a high severity bug, since attaching / fixing an attachment of HSG are incentive-aligned.
zobront added "Fix Approved" label
Adding the fix PR from spengrah for reference: https://github.com/Hats-Protocol/hats-zodiac/pull/14
cducrest-brainbot
high
Usage of HSG for existing safe can brick safe
Summary
The
HatsSignerGateFactory
allows for deployment of HSG / MHSG for existing safes. I believe the intention is to let the user callenableModule()
andsetGuard()
on the safe after deployme with the HSG / MHSG address.This can result in unmatching values of
maxSigners
in the HSG and number of valid signers of the safe. That will prevent further interaction with the safe rendering it unusable.Vulnerability Detail
If a safe has 10 owners with valid hats, and a HSG / MHSG is deployed with a value of
maxSigners < 10
and this HSG / MHSG is wired to the safe, the checks forvalidSignerCount <= maxSigners
will revert in the HSG.These checks are present in
reconcileSignerCount
andclaimSigner
. HoweverreconcileSignerCount
is a core function that is called bycheckTransaction()
, the pre-flight check on the safe transaction.Impact
The safe will not be able to execute any transaction until the number of valid signers is lowered (some hat wearers give up their hats / some hats turns invalid ...)
Code Snippet
reconcileSignerCount
checks maxSigners value:https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L183-L189
It is called during
checkTransaction
:https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L464
The value is set once during setup and not changeable:
https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L66-L84
Tool used
Manual Review
Recommendation
Allow this value to be changed by owner, or have a function that checks the HSG is safe before making it active after it is wired to an existing safe.