You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deployment of Malicious Safe Contracts During Hat Setup
Summary
During the setup of a new hat, the creator can deploy a malicious Safe contract instead of the intended Safe contract required by the protocol. This allows the attacker to bypass the expected governance structure and potentially compromise the protocol's security.
Root Cause
The protocol does not enforce validation of the deployed Safe contract during hat setup. As a result, the system implicitly trusts the contract specified or deployed by the hat creator, which could be malicious or non-compliant with protocol standards.
Instead of deploying the intended Safe, the attacker deploys a malicious Safe contract under their control.
Manipulate Protocol:
The malicious Safe allows the attacker to:
Gain unauthorized control over transactions.
Pass malicious governance decisions.
Execute operations that bypass or undermine protocol rules.
Exploit Control:
The attacker uses the malicious Safe to perform unauthorized operations, such as draining funds, overriding legitimate governance, or disrupting protocol functionality.
Impact
Governance Takeover:
The attacker can manipulate governance decisions using the malicious Safe.
Loss of Funds:
Funds managed by the Safe are at risk of being stolen or misused.
Protocol Integrity:
Stakeholders may lose trust in the protocol, leading to reputational damage.
Security Risks:
The protocol's operations can be disrupted, causing potential financial and operational losses.
PoC
The protocol allows a hat creator to deploy their own Safe during setup.
The attacker creates a hat and deploys a malicious Safe contract.
This Safe may override critical methods or redirect governance to the attacker's address.
The attacker uses the malicious Safe to take control of governance or drain protocol funds.
Mitigation
Require all deployed Safes to adhere to protocol standards by validating them during setup.
function _validateSafe(ISafe _safe) internalview {
require(_safe.isValidSafe(), "Invalid Safe contract");
}
The text was updated successfully, but these errors were encountered:
Puny Grey Seal
High
Deployment of Malicious Safe Contracts During Hat Setup
Summary
During the setup of a new hat, the creator can deploy a malicious
Safecontract instead of the intended Safe contract required by the protocol. This allows the attacker to bypass the expected governance structure and potentially compromise the protocol's security.Root Cause
The protocol does not enforce validation of the deployed
Safecontract during hat setup. As a result, the system implicitly trusts the contract specified or deployed by the hat creator, which could be malicious or non-compliant with protocol standards.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Hat Creation:
https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L160-L168
An attacker creates a new hat and sets up the governance structure, including deploying a Safe contract.
Deploy Malicious Safe:
Instead of deploying the intended Safe, the attacker deploys a malicious Safe contract under their control.
Manipulate Protocol:
The malicious Safe allows the attacker to:
Gain unauthorized control over transactions.
Pass malicious governance decisions.
Execute operations that bypass or undermine protocol rules.
Exploit Control:
The attacker uses the malicious Safe to perform unauthorized operations, such as draining funds, overriding legitimate governance, or disrupting protocol functionality.
Impact
Governance Takeover:
The attacker can manipulate governance decisions using the malicious Safe.
Loss of Funds:
Funds managed by the Safe are at risk of being stolen or misused.
Protocol Integrity:
Stakeholders may lose trust in the protocol, leading to reputational damage.
Security Risks:
The protocol's operations can be disrupted, causing potential financial and operational losses.
PoC
The protocol allows a hat creator to deploy their own Safe during setup.
The attacker creates a hat and deploys a malicious Safe contract.
This Safe may override critical methods or redirect governance to the attacker's address.
The attacker uses the malicious Safe to take control of governance or drain protocol funds.
Mitigation
Require all deployed Safes to adhere to protocol standards by validating them during setup.
The text was updated successfully, but these errors were encountered: