Dizzy Tan Parakeet
High
The checkTransaction method is used in the HatsSignerGate contract to check transactions. The checkTransaction method calls the _countValidSignatures method to verify the number of signatures, but the _countValidSignatures method does not check for duplicate signatures in the signatures array. An attacker can provide multiple identical signatures to forge the number of signatures to meet the requirement and bypass the signature verification logic.
The HatsSignerGate contract uses the checkTransaction method to check transactions. The checkTransaction method calls the _countValidSignatures method to verify the number of signatures. In the _countValidSignatures method, the signatures in the passed signatures array are not checked for duplication. After parsing the signatures one by one, the method only verifies the legitimacy of the signer through isValidSigner(currentOwner), does not record the verified signer, and allows duplicate counting.
The attacker constructs a signatures array containing multiple identical signatures. Each duplicate signature in signatures must pass the isValidSigner(currentOwner) check. The system does not enforce uniqueness of signatures in the signatures array.
When the checkTransaction method is called, the constructed signatures array is used to bypass verification.
The attacker calls a function requiring signature validation, such as checkTransaction. Supplies a signatures array containing multiple identical signatures. The _countValidSignatures method iterates through signatures, validates each signature without checking uniqueness. The duplicate signatures are counted multiple times, allowing the attacker to meet the signature threshold (threshold) and bypass the validation logic.
Affected Party: Safe Signature Verification Mechanism This vulnerability allows an attacker to bypass signature count validation, potentially leading to:
Approval of unauthorized transactions by inflating the valid signature count to meet the threshold. Severe security degradation, enabling an attacker to manipulate Safe transaction approval logic.
No response
Introduce a deduplication mechanism in _countValidSignatures, such as tracking validated signer addresses to avoid counting duplicates. Add signature format validation to enforce uniqueness within the signatures array. Add external constraints during signature validation to prevent the construction of duplicate signatures.