Dizzy Tan Parakeet
Medium
In the HatsSignerGate contract, the checkTransaction method uses safe.nonce() - 1 to record the initial nonce of a transaction. If safe.nonce() equals 0, this will result in an integer underflow, causing an exception and disrupting the verification logic.
https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L424 In the checkTransaction method, _initialNonce is set to safe.nonce() - 1 without verifying whether safe.nonce() is 0. This lack of validation causes an underflow when safe.nonce() equals 0.
The initial value of safe.nonce() is 0. The checkTransaction method is called, triggering the _initialNonce = safe.nonce() - 1 logic. No check is performed to ensure safe.nonce() is not 0.
The contract's safe.nonce() has not been incremented by any transaction.
The value of safe.nonce() is 0 during initialization. The checkTransaction method is invoked. Underflow occurs at _initialNonce = safe.nonce() - 1, disrupting the transaction validation logic.
Affected Party: Transaction validation logic in the HatsSignerGate contract
If safe.nonce() is 0, the first transaction could fail validation due to the underflow, preventing proper execution. Other functionalities relying on transaction validation may also be affected, halting the normal operation of the system.
No response
No response