Platform: Code4rena
Start Date: 13/10/2023
Pot Size: $31,250 USDC
Total HM: 4
Participants: 51
Period: 7 days
Judge: 0xsomeone
Id: 295
League: ETH
Rank: 38/51
Findings: 1
Award: $14.47
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: niroh
Also found by: 0xDetermination, 0xSmartContract, 0xbrett8571, 0xdice91, 0xweb3boy, Bauchibred, Bube, DadeKuma, JCK, K42, LinKenji, Myd, SAAJ, ZanyBonzy, albahaca, castle_chain, catellatech, digitizeworx, emerald7017, fouzantanveer, hunter_w3b, invitedtea, m4ttm, rahul, xiao
14.466 USDC - $14.47
the protocol uses a well-structured codebase , to enable the automation and the delegation of the execution of the transactions and allow the executors and the operators to perform defi activities on the subAccount that delegated them , by
executorPlugin to request the executionthe protocol should build a network contains multiple nodes to verify the policy with the transaction and guarantee that the verification process done correctly without any manipulation by a malicious party
consider adding this function to the wallet registry contract to allow the main console`s owners to remove the sub account in case the operators be malicious .
the protocol only allow the owners of the main console to register the executor , it will be better to allow the operators to set the executors since the sub account is always protected by the policy and the trusted validator , so this will enhance the automation of the process by letting the operators set the executors .
enable the executorPlugin contract as a module on the subAccount is a necessary step to allow the executors to execute the transaction on the subAccount so this step should be added in the setup by calling the safeEnabler contract and enable the executorPlugin as module
this will enhance the user experience and will allow the immediate activity of the automation process .
since the consoleFallBackHandler`s functionality is to validate the ERC-1271 signatures and it has no role in the validation process of the transactions , and the protocol allow the main console to modify the handler but this will freeze the functionality of the executorPlugin , so to achieve a better user experience the protocol can allow this modification , to allow the user to add more logic to the fallback hooks of transactions .
consider remove this check
if (fallbackHandler != AddressProviderService._getAuthorizedAddress(_CONSOLE_FALLBACK_HANDLER_HASH)) { revert InvalidFallbackHandler(); }
as the executor is the responsible for the defi interaction and the automation process and he is the party that build the transaction and execute it , the executor should set the expiry Epoch to make sure that the transaction will be executed within an appropriate time so the strategy that the executor perform is done correctly and the transaction has not been executed with a stale data , so this will enhance all the automation process and will evaluate the implementation of the strategies by the executors .
the recommendations are to allow the executor to sign the expiry epoch with the transaction and validate it before the execution of the transactions .
in the wallet registry consider adding a function to optionally set the guard of the main console as the safeModerator contract and the fallbackHandler as the ConsoleFallbackHandler in case of the safe is registered directly from the wallet registry not the safeDeployer contract .
60 hours
#0 - c4-pre-sort
2023-10-22T21:08:52Z
raymondfam marked the issue as sufficient quality report
#1 - alex-ppg
2023-10-27T13:54:03Z
While the report is poorly formatted, its statements are valid. Additionally, it misses an overview analysis of the system and general areas it can be made better.
#2 - c4-judge
2023-10-27T13:54:08Z
alex-ppg marked the issue as grade-b