Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-ARBITRUM-FINDINGS-ISSUES-244
HistoryAug 10, 2023 - 12:00 a.m.

Anyone can change the members of Security Council

2023-08-1000:00:00
Code4rena
github.com
5
security council
perform function
securitycouncilmembersyncaction.sol
contract
unrestricted
governance
vulnerability
mitigation steps
specific addresses
modifier
JSON

Lines of code

Vulnerability details

Impact

Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all.

Proof of Concept

uint256 updateNonce = getUpdateNonce(_securityCouncil);
        if (_nonce <= updateNonce) {
            // when nonce is too now, we simply return, we don't revert.
            // this way an out of date update will actual execute, rather than remaining in an unexecuted state forever
            emit UpdateNonceTooLow(_securityCouncil, updateNonce, _nonce);
            return false;
        }

        // store the nonce as a record of execution
        // use security council as the key to ensure that updates to different security councils are kept separate
        _setUpdateNonce(_securityCouncil, _nonce);

        IGnosisSafe securityCouncil = IGnosisSafe(_securityCouncil);
        // preserve current threshold, the safe ensures that the threshold is never lower than the member count
        uint256 threshold = securityCouncil.getThreshold();

        address[] memory previousOwners = securityCouncil.getOwners();

        for (uint256 i = 0; i < _updatedMembers.length; i++) {
            address member = _updatedMembers[i];
            if (!securityCouncil.isOwner(member)) {
                _addMember(securityCouncil, member, threshold);
            }
        }

        for (uint256 i = 0; i < previousOwners.length; i++) {
            address owner = previousOwners[i];
            if (!SecurityCouncilMgmtUtils.isInArray(owner, _updatedMembers)) {
                _removeMember(securityCouncil, owner, threshold);
            }
        }
        return true;

This is the code of the perform function, and only thing that is related to the msg.sender is the nonce which is updated in the mapping of the address of the msg.sender. The rest code is general and will not require any ownership or special role to be called. This will lead to changing of the security council members by anyone.

Tools Used

VSCode.

Recommended Mitigation Steps

The function should be called by only specific addresses having role, which can be achieved by a proper modifier.

Assessed type

Governance

The text was updated successfully, but these errors were encountered:

All reactions

JSON