Skip to content

Latest commit

 

History

History
55 lines (33 loc) · 1.99 KB

File metadata and controls

55 lines (33 loc) · 1.99 KB

Dizzy Tan Parakeet

Medium

An Attacker Can Arbitrarily Remove Safe Signers via removeSigner Method

Summary

The HatsSignerGate contract’s removeSigner method has a vulnerability that allows an attacker to remove any signer from the Safe. This happens because the method lacks proper caller permission checks and fails to validate _signer thoroughly.

Root Cause

https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L282 In the HatsSignerGate contract, the removeSigner method does not check the caller's permissions and only relies on isValidSigner(_signer) to verify the _signer's Hat status. If _signer no longer wears a valid Hat, the method can be called by any user.

Internal pre-conditions

_signer must no longer wear a valid Hat (!isValidSigner(_signer)). The removeSigner method is callable by any user without permission checks.

External pre-conditions

Call this removeSigner method directly

Attack Path

The attacker calls removeSigner(_signer) with the target _signer’s address. The contract deletes _signer’s record in registeredSignerHats and removes _signer from the Safe’s signer list via _removeSigner. The attacker repeats the process to remove multiple signers, reducing the Safe’s security.

Impact

Affected Party: Safe Signers In this attack path, the Safe’s signer list is maliciously tampered with.

The attacker can remove critical signers, obstructing legitimate transaction approvals and disrupting normal operations. The attacker could reduce the number of signers, manipulating the threshold and gaining control over transaction approvals.

PoC

// SPDX-License-Identifier: MIT pragma solidity ^0.8.0;

contract Exploit { function exploit(address hsg, address signer) public { HatsSignerGate(hsg).removeSigner(signer); } }

Mitigation

Add permission checks to the removeSigner method, restricting it to specific roles. Validate _signer’s removal by requiring admin or signer confirmation.