Skip to content
This repository has been archived by the owner on Jun 11, 2023. It is now read-only.

obront - targetThreshold can be set below minThreshold, violating important invariant #36

Open
sherlock-admin opened this issue Mar 9, 2023 · 2 comments
Open

obront - targetThreshold can be set below minThreshold, violating important invariant #36

sherlock-admin opened this issue Mar 9, 2023 · 2 comments
Labels
Fix Approved Has Duplicates A valid issue with 1+ other issues describing the same vulnerability HSG Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

obront

medium

targetThreshold can be set below minThreshold, violating important invariant

Summary

There are protections in place to ensure that minThreshold is not set above targetThreshold, because the result is that the max threshold on the safe would be less than the minimum required. However, this check is not performed when targetThreshold is set, which results in the same situation.

Vulnerability Detail

When the minThreshold is set on HatsSignerGateBase.sol, it performs an important check that minThreshold <= targetThreshold:

function _setMinThreshold(uint256 _minThreshold) internal {
    if (_minThreshold > maxSigners || _minThreshold > targetThreshold) {
        revert InvalidMinThreshold();
    }

    minThreshold = _minThreshold;
}

However, when targetThreshold is set, there is no equivalent check that it remains above minThreshold:

function _setTargetThreshold(uint256 _targetThreshold) internal {
    if (_targetThreshold > maxSigners) {
        revert InvalidTargetThreshold();
    }

    targetThreshold = _targetThreshold;
}

This is a major problem, because if it is set lower than minThreshold, reconcileSignerCount() will set the safe's threshold to be this value, which is lower than the minimum, and will cause all tranasctions to fail.

Impact

Settings that are intended to be guarded are not, which can lead to parameters being set in such a way that all transactions fail.

Code Snippet

https://github.com/Hats-Protocol/hats-zodiac/blob/9455cc0957762f5dbbd8e62063d970199109b977/src/HatsSignerGateBase.sol#L95-L114

Tool used

Manual Review

Recommendation

Perform a check in _setTargetThreshold() that it is greater than or equal to minThreshold:

function _setTargetThreshold(uint256 _targetThreshold) internal {
+   if (_targetThreshold < minThreshold) {
+     revert InvalidTargetThreshold();
+   }
    if (_targetThreshold > maxSigners) {
        revert InvalidTargetThreshold();
    }

    targetThreshold = _targetThreshold;
}
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Mar 12, 2023
This was referenced Mar 12, 2023
Closed
Closed
Closed
Closed
Closed
@spengrah spengrah added HSG Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 23, 2023
@spengrah spengrah mentioned this issue Mar 27, 2023
Merged
@spengrah
Copy link

Hats-Protocol/hats-zodiac#8

@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 29, 2023
@MLON33
Copy link

MLON33 commented Apr 13, 2023

zobront added "Fix Approved" label

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Fix Approved Has Duplicates A valid issue with 1+ other issues describing the same vulnerability HSG Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zobront @spengrah @sherlock-admin @MLON33