Joyous Cobalt Chameleon
High
When a single hatId (e.g., ownerHat) is assigned to multiple users, and some of these users also hold a signerHat, the overlap creates a critical vulnerability. It allows malicious actors to reduce thresholds or manipulate governance by exploiting their dual roles. This breaks the intended separation of roles and undermines the protocol’s security model.
The protocol fails to enforce strict separation between ownership (ownerHat) and signing authority (signerHat). A single wearer assigned both roles can act unilaterally to modify governance parameters or approve malicious transactions ( call all ownerhat function) .
1-A single hatId (e.g., ownerHat) is assigned to multiple wearers. 2-At least one wearer of ownerHat also holds a signerHat ( safe owner).
A user with overlapping roles executes governance actions, such as reducing thresholds.
1-Assign ownerHat and signerHat to the same user (e.g., Alice).
2-Alice, acting as an owner, reduces the threshold to 1 using setThresholdConfig() .
3-Alice, acting as a signer, approves malicious transactions with no additional checks due to the reduced threshold.
4-Governance checks are bypassed, allowing unauthorized actions.
-Severity: High -Attack Surface: Governance manipulation ( the signer can call all ownerhat function) , unauthorized approvals -Affected Components: HatsSignerGate governance and transaction approval
No response
Add a validation mechanism in the governance logic:
require(!isOwnerAndSigner(msg.sender), "Cannot hold both ownerHat and signerHat");Alternatively, introduce an additional approval layer for sensitive actions like modifying thresholds.