Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0xKann - Vulnerability in Threshold Manipulation via Signer Reregistration #40

Open
sherlock-admin3 opened this issue Nov 23, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Nov 23, 2024

0xKann

High

Vulnerability in Threshold Manipulation via Signer Reregistration

Summary

The current implementation of the claimSigner and _addSigner functions allows a signer to re-register multiple times with the same hat, potentially manipulating the threshold for Safe owners.
!The issue is that while the function allows for re-registration when _allowReregistration is set to true, there's no check to prevent a signer from reregistering the same hat, which could indeed lead to undesirable behavior—like inflating the number of signers and unnecessarily updating the threshold.

Root Cause

The issue arises because the system allows re-registration of signers with _allowReregistration set to true without checking whether the signer is already registered. As a result, the signer can continuously reregister, leading to unnecessary changes in the ownership threshold (newThreshold) each time a new signer is added.
https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L206-L212 _addSigner.
Threshold Update Logic: The _getNewThreshold function adjusts the threshold each time a new owner is added. If a signer keeps re-registering, the threshold keeps getting updated, potentially reducing the quorum required for valid signatures.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Initial Condition:
An attacker registers a signer by calling the claimSigner function, which allows them to add themselves as a signer.

Reregistration Process:
The attacker can then repeatedly call claimSigner with _allowReregistration set to true. Since no check exists to verify if the address is already registered, the signer can reregister and trigger threshold updates each time.

Threshold Manipulation:
Each reregistration causes the system to update the ownership threshold, lowering the number of required valid signers for approval. This gives the attacker the ability to bypass governance or consensus mechanisms and gain control over critical decisions within the Safe.

Exploitation:
By inflating the number of owners (via multiple reregistrations), the attacker can reduce the quorum required for transaction approvals. This enables them to potentially manipulate or approve malicious transactions without sufficient checks and balances.

Impact

A member of the hat can repeatedly reregister as a signer, causing the threshold to be updated each time. This manipulation allows the attacker to increase the number of signers, effectively lowering the quorum required for approval. As a result, the attacker can influence the system by making it easier for certain votes or transactions to fail, simply by continually updating the threshold with each reregistration.

PoC

No response

Mitigation

add a check if the address is already registered and if he is dont update threshold + 1

@sherlock-admin2 sherlock-admin2 changed the title Puny Grey Seal - Vulnerability in Threshold Manipulation via Signer Reregistration 0xKann - Vulnerability in Threshold Manipulation via Signer Reregistration Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant