You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability in Threshold Manipulation via Signer Reregistration
Summary
The current implementation of the claimSigner and _addSigner functions allows a signer to re-register multiple times with the same hat, potentially manipulating the threshold for Safe owners.
!The issue is that while the function allows for re-registration when _allowReregistration is set to true, there's no check to prevent a signer from reregistering the same hat, which could indeed lead to undesirable behavior—like inflating the number of signers and unnecessarily updating the threshold.
Root Cause
The issue arises because the system allows re-registration of signers with _allowReregistration set to true without checking whether the signer is already registered. As a result, the signer can continuously reregister, leading to unnecessary changes in the ownership threshold (newThreshold) each time a new signer is added. https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L206-L212_addSigner.
Threshold Update Logic: The _getNewThreshold function adjusts the threshold each time a new owner is added. If a signer keeps re-registering, the threshold keeps getting updated, potentially reducing the quorum required for valid signatures.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Initial Condition:
An attacker registers a signer by calling the claimSigner function, which allows them to add themselves as a signer.
Reregistration Process:
The attacker can then repeatedly call claimSigner with _allowReregistration set to true. Since no check exists to verify if the address is already registered, the signer can reregister and trigger threshold updates each time.
Threshold Manipulation:
Each reregistration causes the system to update the ownership threshold, lowering the number of required valid signers for approval. This gives the attacker the ability to bypass governance or consensus mechanisms and gain control over critical decisions within the Safe.
Exploitation:
By inflating the number of owners (via multiple reregistrations), the attacker can reduce the quorum required for transaction approvals. This enables them to potentially manipulate or approve malicious transactions without sufficient checks and balances.
Impact
A member of the hat can repeatedly reregister as a signer, causing the threshold to be updated each time. This manipulation allows the attacker to increase the number of signers, effectively lowering the quorum required for approval. As a result, the attacker can influence the system by making it easier for certain votes or transactions to fail, simply by continually updating the threshold with each reregistration.
PoC
No response
Mitigation
add a check if the address is already registered and if he is dont update threshold + 1
The text was updated successfully, but these errors were encountered:
sherlock-admin2
changed the title
Puny Grey Seal - Vulnerability in Threshold Manipulation via Signer Reregistration
0xKann - Vulnerability in Threshold Manipulation via Signer Reregistration
Nov 27, 2024
0xKann
High
Vulnerability in Threshold Manipulation via Signer Reregistration
Summary
The current implementation of the
claimSigner
and_addSigner
functions allows a signer to re-register multiple times with the same hat, potentially manipulating the threshold forSafe
owners.!The issue is that while the function allows for re-registration when
_allowReregistration
is set to true, there's no check to prevent a signer from reregistering the same hat, which could indeed lead to undesirable behavior—like inflating the number of signers and unnecessarily updating the threshold.Root Cause
The issue arises because the system allows re-registration of signers with
_allowReregistration
set to true without checking whether the signer is already registered. As a result, the signer can continuously reregister, leading to unnecessary changes in the ownership threshold(newThreshold)
each time a new signer is added.https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L206-L212
_addSigner
.Threshold Update Logic: The
_getNewThreshold
function adjusts the threshold each time a new owner is added. If a signer keeps re-registering, the threshold keeps getting updated, potentially reducing the quorum required for valid signatures.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Initial Condition:
An attacker registers a signer by calling the claimSigner function, which allows them to add themselves as a signer.
Reregistration Process:
The attacker can then repeatedly call claimSigner with _allowReregistration set to true. Since no check exists to verify if the address is already registered, the signer can reregister and trigger threshold updates each time.
Threshold Manipulation:
Each reregistration causes the system to update the ownership threshold, lowering the number of required valid signers for approval. This gives the attacker the ability to bypass governance or consensus mechanisms and gain control over critical decisions within the Safe.
Exploitation:
By inflating the number of owners (via multiple reregistrations), the attacker can reduce the quorum required for transaction approvals. This enables them to potentially manipulate or approve malicious transactions without sufficient checks and balances.
Impact
A member of the hat can repeatedly reregister as a signer, causing the threshold to be updated each time. This manipulation allows the attacker to increase the number of signers, effectively lowering the quorum required for approval. As a result, the attacker can influence the system by making it easier for certain votes or transactions to fail, simply by continually updating the threshold with each reregistration.
PoC
No response
Mitigation
add a check if the address is already registered and if he is dont update threshold + 1
The text was updated successfully, but these errors were encountered: