Smooth Graphite Tuna
High
The HatsSignerGate._countValidSignatures function uses the EVM's built-in ecrecover function to count the number of valid signatures. However, ecrecover is susceptible to signature malleability which allows signatures to be slightly modified while still being valid, even without having the private key.
Since number of valid signature check happens in HatsSignerGate.checkTransaction which runs before any Safe transaction executes, an attacker could potentially:
- Take a valid signature
- Modify it slightly to create a new valid signature
- Use this to replay an old transaction that was already executed
Replaying safe's transaction is possible to replay previously signed transactions
Consider using OpenZeppelin’s ECDSA library.