Back to IceBear's contests

Coinbase Smart Wallet - IceBear's results

Smart Wallet from Coinbase Wallet

General Information

Platform: Code4rena

Start Date: 14/03/2024

Pot Size: $49,000 USDC

Total HM: 3

Participants: 51

Period: 7 days

Judge: 3docSec

Id: 350

League: ETH

Coinbase

Findings Distribution

Researcher Performance

Rank: 24/51

Findings: 1

Award: $36.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCoinbase

Findings Information

🌟 Selected for report: 0xmystery

Also found by: 0xbrett8571, 0xhacksmithh, 7ashraf, Bigsam, Circolors, IceBear, Jorgect, Koala, Limbooo, SBSecurity, Tigerfrake, ZanyBonzy, aycozynfada, cheatc0d3, cryptphi, d3e4, doublespending, foxb868, gpersoon, imare, jesjupyter, lsaudit, robriks, shealtielanz, y4y

Awards

36.3397 USDC - $36.34

Labels

bug
downgraded by judge
grade-a
QA (Quality Assurance)
sufficient quality report
:robot:_08_group
duplicate-18
Q-18

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/MultiOwnable.sol#L77

Vulnerability details

Impact

The initial owner of CoinbaseSmartWallet can use MultiOwnable.sol addOwnerAddress() to add a new owner address. onlyOwner modifier use _checkOwner to ensure the caller is an authorized owner

 function _checkOwner() internal view virtual {
        if (isOwnerAddress(msg.sender) || (msg.sender == address(this))) {
            return;
        }

        revert Unauthorized();
    }

isOwnerAddress() checks if the given account address is registered as owner.

    /// @notice Checks if the given `account` address is registered as owner.
    ///
    /// @param account The account address to check.
    ///
    /// @return `true` if the account is an owner, else `false`.
    function isOwnerAddress(address account) public view virtual returns (bool) {
        return _getMultiOwnableStorage().isOwner[abi.encode(account)];
    }

Consider this senario:

  1. A user addOwnerAddress() add B as a new owner address.
  2. B becomes malicious and A now wants to use removeOwnerAtIndex() to remove B.
  3. B noticed the tx and front runs it. B can use addOwnerAddress(), add another address C as a new owner, or directly use removeOwnerAtIndex() remove initial owner A.
  4. If B remove initial owner A, now B can take over this smart wallet.

Proof of Concept

https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/MultiOwnable.sol#L77

Tools Used

only initial owner of smart wallet can add/remove new address as owner

Assessed type

MEV

#0 - raymondfam

2024-03-21T22:08:05Z

See #61.

#1 - c4-pre-sort

2024-03-21T22:08:09Z

raymondfam marked the issue as sufficient quality report

#2 - c4-pre-sort

2024-03-21T22:08:17Z

raymondfam marked the issue as duplicate of #18

#3 - c4-pre-sort

2024-03-22T22:32:14Z

raymondfam marked the issue as duplicate of #22

#4 - c4-pre-sort

2024-03-22T23:34:36Z

raymondfam marked the issue as not a duplicate

#5 - c4-pre-sort

2024-03-22T23:34:51Z

raymondfam marked the issue as duplicate of #57

#6 - c4-judge

2024-03-27T08:55:47Z

3docSec marked the issue as not a duplicate

#7 - c4-judge

2024-03-27T08:55:58Z

3docSec marked the issue as duplicate of #18

#8 - c4-judge

2024-03-27T10:20:16Z

3docSec changed the severity to QA (Quality Assurance)

#9 - c4-judge

2024-03-27T10:22:39Z

3docSec marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter