Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dizzy Tan Parakeet - An Attacker Can Register New Hats for Arbitrary Signers to Abuse Safe Signatures #46

Open
sherlock-admin3 opened this issue Nov 23, 2024 · 0 comments
Open

Dizzy Tan Parakeet - An Attacker Can Register New Hats for Arbitrary Signers to Abuse Safe Signatures #46

sherlock-admin3 opened this issue Nov 23, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link

Dizzy Tan Parakeet

Medium

An Attacker Can Register New Hats for Arbitrary Signers to Abuse Safe Signatures

Summary

When claimableFor is set to true, an attacker can register new Hats for any legitimate signer, allowing them to abuse the Safe’s signature permissions by calling claimSignerFor or claimSignersFor.

Root Cause

https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L215

In the HatsSignerGate contract, when claimableFor is set to true, there is no restriction on the caller of claimSignerFor or claimSignersFor, enabling arbitrary users to exploit these methods.

Internal pre-conditions

The contract variable claimableFor is set to true.
The signer _signer must wear a valid Hat (validated via HATS.isWearerOfHat).
The current Safe signature threshold is met (validated by _getRequiredValidSignatures).

External pre-conditions

Call claimSignerFor or claimSignersFor to register a new Hat for any signer.

Attack Path

The attacker calls claimSignerFor(_hatId, _signer) with a valid signer’s address _signer and Hat ID _hatId.
The contract invokes _registerSigner, validating the signer’s ownership of the specified Hat.
The contract adds the signer to the Safe via _addSigner.
The attacker repeats the process to register multiple Hats and signers.

Impact

Affected Party: Safe Signers
In this attack path, the Safe’s signature permissions are compromised.
Potential risks:

The attacker could register excessive signers, reducing the overall security of the Safe.
Malicious registrations could alter threshold configurations, disrupting transaction approval flows.

PoC

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Exploit {
function exploit(address hsg, uint256 hatId, address signer) public {
HatsSignerGate(hsg).claimSignerFor(hatId, signer);
}
}

Mitigation

Add access control to claimSignerFor and claimSignersFor to limit their usage to specific roles.
Implement a whitelist mechanism to restrict which signers can be registered.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3