Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Validation to Ensure Hot Signers are Safe Owners #11

Closed
howlbot-integration bot opened this issue Oct 27, 2024 · 4 comments
Closed

Missing Validation to Ensure Hot Signers are Safe Owners #11

howlbot-integration bot opened this issue Oct 27, 2024 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/solidity-labs-io/kleidi/blob/0d72b6cb5725c1380212dc76257da96fcfacf22f/src/Timelock.sol#L52
https://github.com/solidity-labs-io/kleidi/blob/0d72b6cb5725c1380212dc76257da96fcfacf22f/src/Timelock.sol#L264-L309
https://github.com/solidity-labs-io/kleidi/blob/0d72b6cb5725c1380212dc76257da96fcfacf22f/src/Timelock.sol#L759-L769

Vulnerability details

Description

In the Timelock contract, there is no check to ensure that the hotSigners are the same as the owners of the safe.

According to the comment on #L:52, "only safe owners can execute whitelisted calldatas," but the constructor and the grantRole() functions do not verify that hot signers are also safe owners.

The separation of the owners array for the safe contract and the hotSigners array for the timelock contract introduces the risk that non-safe owners could be granted the HOT_SIGNER_ROLE and have ablity to execute whitelisted calldatas.

This weakens the intended security model of the system by allowing external or unauthorized addresses to gain the ability to execute privileged actions.

Impact

Non-safe owners may be granted the HOT_SIGNER_ROLE, enabling them to execute whitelisted calldatas without being authorized.

Proof of Concepts

  • In Timelock constructor, hot signers are granted HOT_SIGNER_ROLE, without any checks to ensure they are also safe owners as it's stated in #L:52.

  • the safe owners array and hotSigners array are separate, and nothing ensures in TimelockFactory that owners[i] == hotsigner[i] when Deploying Timelock.

  • The grantRole() function does not validate the account against the list of safe owners to ensure only safe owners can have HOT_SIGNER_ROLE, this allows an arbitrary address to be assigned HOT_SIGNER_ROLE, even if they may not be one of the safe owners.

Recommended mitigation

  • Add a check in the Timelock constructor to ensure that the account we are assigning HOT_SIGNER_ROLE to, is one of the safe owners.

  • remove hotSigners array from DeploymentParams struct as member and simply pass safe owners array on deployment of Timelock, to assign HOT_SIGNER_ROLE to each safe owner.

  • add a check in Timelock::grantRole() function to ensure account is one of the current owners of safe.

Assessed type

Other
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_primary AI based primary recommendation bug Something isn't working primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Oct 27, 2024
howlbot-integration bot added a commit that referenced this issue Oct 27, 2024
@howlbot-integration
JustAWanderKid issue #11
f385481
@ElliotFriedman
Copy link

This is an outdated comment, please refer to the source code and docs for the source of truth.

Disagree with severity, this should be an informational at most.

@ElliotFriedman ElliotFriedman added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 29, 2024
@GalloDaSballo
Copy link

I generally agree with the idea of setting default Hot Signers as Safe Owners, because of an issue I had flagged tied to how a compromised Hot Signer would attack every other chains deployment

That said, this finding pertains to a comment, I think because of it it is valid, but hot signers are not meant to be safe owners as that defeats the purpose, for this reason I think this finding is a good QA finding

@GalloDaSballo
Copy link

GalloDaSballo commented Oct 30, 2024
edited
Loading

I have flagged the issue here, hence marking OOS:
https://github.com/GalloDaSballo/kleidi-notes?tab=readme-ov-file#q-24-original-hot-signer-that-becomes-compromised-or-malicious-can-take-over-all-undeployed-systems

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Oct 30, 2024
@c4-judge
Copy link

GalloDaSballo marked the issue as unsatisfactory:
Out of scope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @ElliotFriedman @c4-judge