Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taiger4526 - An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method #48

Open
sherlock-admin4 opened this issue Nov 23, 2024 · 0 comments
Open

Taiger4526 - An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method #48

sherlock-admin4 opened this issue Nov 23, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Nov 23, 2024
edited by sherlock-admin2
Loading

Taiger4526

Medium

An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method

Summary

The HatsSignerGate contract’s removeSigner method has a vulnerability that allows an attacker to remove any signer from the Safe. This happens because the method lacks proper caller permission checks and fails to validate _signer thoroughly.

Root Cause

https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L282
In the HatsSignerGate contract, the removeSigner method does not check the caller's permissions and only relies on isValidSigner(_signer) to verify the _signer's Hat status. If _signer no longer wears a valid Hat, the method can be called by any user.

Internal pre-conditions

_signer must no longer wear a valid Hat (!isValidSigner(_signer)).
The removeSigner method is callable by any user without permission checks.

External pre-conditions

Call this removeSigner method directly

Attack Path

The attacker calls removeSigner(_signer) with the target _signer’s address.
The contract deletes _signer’s record in registeredSignerHats and removes _signer from the Safe’s signer list via _removeSigner.
The attacker repeats the process to remove multiple signers, reducing the Safe’s security.

Impact

Affected Party: Safe Signers
In this attack path, the Safe’s signer list is maliciously tampered with.

The attacker can remove critical signers, obstructing legitimate transaction approvals and disrupting normal operations.
The attacker could reduce the number of signers, manipulating the threshold and gaining control over transaction approvals.

PoC

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Exploit {
function exploit(address hsg, address signer) public {
HatsSignerGate(hsg).removeSigner(signer);
}
}

Mitigation

Add permission checks to the removeSigner method, restricting it to specific roles.
Validate _signer’s removal by requiring admin or signer confirmation.
@sherlock-admin2 sherlock-admin2 changed the title Dizzy Tan Parakeet - An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method Taiger4526 - An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4