Skip to content

Latest commit

 

History

History
55 lines (34 loc) · 1.63 KB

013.md

File metadata and controls

55 lines (34 loc) · 1.63 KB
Raw

Radiant Neon Osprey

Medium

Not to check the return value can lead to an inconsistent state in the protocol

Summary

The missing check in return value of SafeManagerLib::execTransactionFromModule can lead to an inconsistent state in the protocol

Root Cause

In SafeManagerLib::execTransactionFromModule is missing a check of return value

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

1.inconsistent state in the protocol

PoC

execSafeTransactionFromHSG is called when exected _removeSigner or _addSigner.

From the IModuleManager::execTransactionFromModule interface we can see:

  function execTransactionFromModule(address to, uint256 value, bytes memory data, Enum.Operation operation)
    external
    returns (bool success);

However when implement the execSafeTransactionFromHSG from SafeManagerLib https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/lib/SafeManagerLib.sol#L164-L166

  function execSafeTransactionFromHSG(ISafe _safe, bytes memory _data) internal {
    _safe.execTransactionFromModule({ to: address(_safe), value: 0, data: _data, operation: Enum.Operation.Call }); //@audit return status not checked ?
  }

The return value if the transaction is sucess is not checked.

When protocol execute _addSigner or _removeSigner , removeOwner or addOwnerWithThreshold is called to safe wallet. Once above transaction result in failed, the state between Hats and safe is inconsistent

Mitigation

check the return value of _safe.execTransactionFromModule