Dizzy Tan Parakeet - Potential Underflow Risk in checkTransaction Due to safe.nonce() - 1 #59
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Dizzy Tan Parakeet
Medium
Potential Underflow Risk in checkTransaction Due to safe.nonce() - 1
Summary
In the HatsSignerGate contract, the checkTransaction method uses safe.nonce() - 1 to record the initial nonce of a transaction. If safe.nonce() equals 0, this will result in an integer underflow, causing an exception and disrupting the verification logic.
Root Cause
https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L424
In the checkTransaction method, _initialNonce is set to safe.nonce() - 1 without verifying whether safe.nonce() is 0. This lack of validation causes an underflow when safe.nonce() equals 0.
Internal pre-conditions
The initial value of safe.nonce() is 0.
The checkTransaction method is called, triggering the _initialNonce = safe.nonce() - 1 logic.
No check is performed to ensure safe.nonce() is not 0.
External pre-conditions
The contract's safe.nonce() has not been incremented by any transaction.
Attack Path
The value of safe.nonce() is 0 during initialization.
The checkTransaction method is invoked.
Underflow occurs at _initialNonce = safe.nonce() - 1, disrupting the transaction validation logic.
Impact
Affected Party: Transaction validation logic in the HatsSignerGate contract
If safe.nonce() is 0, the first transaction could fail validation due to the underflow, preventing proper execution.
Other functionalities relying on transaction validation may also be affected, halting the normal operation of the system.
PoC
No response
Mitigation
No response
The text was updated successfully, but these errors were encountered: