Gentle Syrup Panther
High
The disableModule function in ModifierUnowned.sol being marked as public instead of internal will cause unauthorized module removals as any user can bypass the access controls implemented in HatsSignerGate.sol by calling the base contract directly.
In ModifierUnowned.sol, the disableModule function is incorrectly marked as public https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/lib/zodiac-modified/ModifierUnowned.sol#L84C1-L92C4 While HatsSignerGate.sol implements proper access controls: https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L888C1-L892C4
No response
No response
- Attacker identifies a target module and its previous module in the linked list
- Instead of calling disableModule on HatsSignerGate, attacker calls it directly on ModifierUnowned
- The module is disabled without any access control checks (NOT THE OWNER, OR LOCKED )
The protocol suffers from unauthorized module removals, complete loss of Safe access if all signing modules are removed.
No response
Change the visibility of disableModule in ModifierUnowned.sol from public to internal:
function disableModule(address prevModule, address module) `internal` virtual {
// code
}