Dizzy Tan Parakeet
Medium
The HatsSignerGate contract’s removeSigner method has a vulnerability that allows an attacker to remove any signer from the Safe. This happens because the method lacks proper caller permission checks and fails to validate _signer thoroughly.
https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L282 In the HatsSignerGate contract, the removeSigner method does not check the caller's permissions and only relies on isValidSigner(_signer) to verify the _signer's Hat status. If _signer no longer wears a valid Hat, the method can be called by any user.
_signer must no longer wear a valid Hat (!isValidSigner(_signer)). The removeSigner method is callable by any user without permission checks.
Call this removeSigner method directly
The attacker calls removeSigner(_signer) with the target _signer’s address. The contract deletes _signer’s record in registeredSignerHats and removes _signer from the Safe’s signer list via _removeSigner. The attacker repeats the process to remove multiple signers, reducing the Safe’s security.
Affected Party: Safe Signers In this attack path, the Safe’s signer list is maliciously tampered with.
The attacker can remove critical signers, obstructing legitimate transaction approvals and disrupting normal operations. The attacker could reduce the number of signers, manipulating the threshold and gaining control over transaction approvals.
// SPDX-License-Identifier: MIT pragma solidity ^0.8.0;
contract Exploit { function exploit(address hsg, address signer) public { HatsSignerGate(hsg).removeSigner(signer); } }
Add permission checks to the removeSigner method, restricting it to specific roles. Validate _signer’s removal by requiring admin or signer confirmation.