Platform: Code4rena
Start Date: 13/10/2023
Pot Size: $31,250 USDC
Total HM: 4
Participants: 51
Period: 7 days
Judge: 0xsomeone
Id: 295
League: ETH
Rank: 13/51
Findings: 1
Award: $152.13
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: Alra, Arz, GREY-HAWK-REACH, alexzoid, radev_sw, rvierdiiev, sorrynotsorry
152.1324 USDC - $152.13
Additional getters of public mappings are implemented. Either directly call the public mapping to retrieve the desired values, or make the mappings internal or private.
There are 3 instances of this issue:
File: src/core/AddressProvider.sol function getAuthorizedAddress(bytes32 _key) external view returns (address) { return authorizedAddresses[_key]; }
File: src/core/AddressProvider.sol function getRegistry(bytes32 _key) external view returns (address) { return registries[_key]; }
File: src/core/registries/WalletRegistry.sol function getSubAccountsForWallet(address _wallet) external view returns (address[] memory) { return walletToSubAccountList[_wallet]; }
TransactionValidator.sol#L149 TransactionValidator.sol#L66
- function _isConsoleBeingOverriden( + function _isConsoleBeingOverridden(
- if (_isConsoleBeingOverriden(txParams.from, txParams.to, txParams.value, txParams.data, txParams.operation)) { + if (_isConsoleBeingOverridden(txParams.from, txParams.to, txParams.value, txParams.data, txParams.operation)) {
EOAs can registerWallet() themselves and deploySubAccount's. Consider adding extra checks so only SafeWallets are able to do that.
Safe's code has the following line:
require(success || safeTxGas != 0 || gasPrice != 0, "GS013");
Because safeTxGas and gasPrice are hardcoded as zeroes, it can be deduced to require(success).
success == false - the execution reverts immediately.
success == true - the execution is successful; execTransaction returns true.
Thus, it is impossible for execTransaction with safeTxGas == 0 and gasPrice == 0 to return false.
- error SafeExecTransactionFailed(); /* ... */ function _executeOnSafe(address safe, address target, Enum.Operation op, bytes memory data) internal { - bool success = IGnosisSafe(safe).execTransaction( + IGnosisSafe(safe).execTransaction( address(target), // to 0, // value data, // data op, // operation 0, // safeTxGas 0, // baseGas 0, // gasPrice address(0), // gasToken payable(address(0)), // refundReceiver _generateSingleThresholdSignature(address(this)) // signatures ); - if (!success) revert SafeExecTransactionFailed(); }
function deployConsoleAccount( address[] calldata _owners, uint256 _threshold, bytes32 _policyCommit, bytes32 _salt ) external nonReentrant returns (address _safe) { + uint256 ownersLengthMinusOne = _owners.length - 1; + for (uint i; i < ownersLengthMinusOne; i++){ + require(_owners[i] < _owners[i + 1], "Wrong order"); + } /* ... */
/** * @notice Governance setter * @param _newGovernance address of new governance */ function setGovernance(address _newGovernance) external { _notNull(_newGovernance); _onlyGov(); emit GovernanceTransferRequested(governance, _newGovernance); pendingGovernance = _newGovernance; } /** * @notice Governance accepter */ function acceptGovernance() external { if (msg.sender != pendingGovernance) { revert NotPendingGovernance(msg.sender); } emit GovernanceTransferred(governance, msg.sender); governance = msg.sender; delete pendingGovernance; }
#0 - c4-pre-sort
2023-10-22T23:02:44Z
raymondfam marked the issue as sufficient quality report
#1 - alex-ppg
2023-10-26T19:01:44Z
The comparative quality of the report is B as there are some valid recommendations that have been manually identified.
WalletRegistry::registerWallet is not security-sensitive, however, the WalletRegistry::registerSubAccount is. We can observe that the function applies adequate access control to ensure that the SafeDeployer is its caller and the SafeDeployer solely invokes it with a msg.sender argument as the _wallet, meaning that the listed absence of access control cannot affect the registry in a negative way.SafeExecTransactionFailed error to be eliminated from the code.SafeDeployer indicates that the Brahma team is aware of potential _owners orders affecting deployed wallet addresses and could potentially be a desirable trait .#2 - c4-judge
2023-10-26T19:01:52Z
alex-ppg marked the issue as grade-b
#3 - alex-ppg
2023-10-31T21:30:43Z
Based on the downgrade but acceptance of multiple QA findings, I will upgrade the grade of this QA report to A.
#4 - c4-judge
2023-10-31T21:30:49Z
alex-ppg marked the issue as grade-a