Upgraded Q -> 2 from #854 [1697894788598]

Judge has assessed an item in Issue 854 as 2 risk. The relevant finding follows: Virtual Account cannot withdraw ERC1155 directly --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 3 from #102 [1697893134448]

Judge has assessed an item in Issue 102 as 3 risk. The relevant finding follows: QA-02 Missing requiresApprovedCaller modifier --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #671 [1697894602524]

Judge has assessed an item in Issue 671 as 2 risk. The relevant finding follows: Low-02: It may become economically feasible to coerce depositNonce to overflow --- The text was updated successfully, but these errors were encountered: All reactions...

Register Wallet unprotected

Lines of code Vulnerability details Impact In the code comments, it states that: @dev Can only be called by safe deployer or the wallet itself This requires a check for either the safe deployer or the wallet. However there is no check to verify this case, therefore any address can verify their se...

There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin

Lines of code Vulnerability details There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin Impact Can cause malfunctions if the user wants to execute tx via ExecutorPlugin ...

the nonce value is not increasing everytime

Lines of code Vulnerability details Impact the nonce value is not increasing everytime The nonce value is used to create the TypeHashHelper.Transaction struct that's passed to the buildTransactionStructHash function. The actual value of executorNonceexecRequest.accountexecRequest.executor is...

Nonce update

Lines of code Vulnerability details return uint256keccak256abi.encodePackedownersHash, ownerSafeCountownersHash++, salt, VERSION; here ownerSafeCountownersHash++ is used as nonce for different ownerSafeCount mapping if ownersHash is 0 or 1 the mapping will be 0 for the first item.This will cause ...

A new executor cannot be added because of the wrong restriction

Lines of code Vulnerability details Impact A new executor cannot be added because of the wrong restriction Proof of Concept if !subAccountToExecutorssubAccount.addexecutor revert AlreadyExists; The if statement checks if executor to be added to the subAccountToExecutors mapping is not in the...

Malicious sub-account operators can perform cross-chain signature replay attack

Lines of code Vulnerability details Impact Malicious sub-account operators can perform policy or transactions not allowed to the specific chain but allowed in other chain. This is possible due to cross-chain signature replay attack. Proof of Concept To describe the attack, for example, let us hav...

Deploying a Console to the Same Address Across Different Supported Chains Could Become Impossible

Lines of code Vulnerability details Impact In Brahma, Users can interact with SafeDeployer::deployConsoleAccount to deploy console accounts/wallets. To deploy the wallet to the same address across all supported chains, the user needs to interact with the deployConsoleAccount function on all chain...

ExecutorPlugin missing payable when execute the transaction

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept executeTransaction in ExecutorPlugin is meant to execute transaction but in executeTxnAsModule function executeTxnAsModuleaddress account, Types.Executable memory executable internal...

Compiler version used by Brahma contracts may introduce permanent bugs in the future

Lines of code Vulnerability details Impact Lack of upgradeability of protocol to adapt with new pragma version may introduce a risk of being targeted by malicious actors if the pragma version 0.8.19 introduce bugs in the future. Here's the list of previous solidity compiler bugs for your referenc...

FallbackHandler remains unset in _setupConsoleAccount()

Lines of code Vulnerability details Impact According to the docs, the fallback handler provides compatibility between pre-1.3.0 and 1.3.0+ Safe contracts, and additionally, also ensures policy validation guarantees required for ConsoleAccounts/SubAccounts that have policy validation enabled. If n...

Everyone can disable policy of any brahama console account

Lines of code Vulnerability details Impact Everyone can disable policy of any brahama console account if you look at the function disablePolicyOnConsole it designed to disable the policy and set guards to 0 which is important decision of any account but the problem is everyone can disable random...

attacker can perform malicious transactions in the safe because reentrancy is not implemented in the execTransaction() and checkAfterExecution() function

Lines of code Vulnerability details Impact Due to reentrancy, it's possible to set a guard or threshold during the execTransaction and execute another malicious transaction which resets the guard and threshold Proof of Concept to prevent reentrancy during the safe's execTransaction function code...

check that the default consoleFallbackHandler and SafeModerator have not been changed after executing every transaction by the executors and the operator will always revert and freeze all the functionality of the sub account if the owners of console account have changed this addresses

Lines of code Vulnerability details Impact this vulnerability will lead to freeze all the functionality of the sub account and revert on all the transaction . Proof of Concept the main console is allowed to change the guard of the sub accounts and the fallback handler of the sub accounts , but if...

Registered wallet and sub account cannot be removed

Lines of code Vulnerability details Impact Registered wallet and sub account cannot be removed Proof of Concept In WalletRegistry, the wallet can be registered by calling registerWallet the sub account can be registered as well by calling registerSubAccount However, once registered, the wallet or...

checkAfterExecution() function has a design flaw

Lines of code Vulnerability details Impact checkAfterExecution function has a design flaw. It may cause some danger problem, such as ,signers can change the threshold of the vault, giving themselves increased control over future transactions and breaking an important trust assumption of the...

TransactionValidator does not validate gas token address and gas price parameter when validating the transaction

Lines of code Vulnerability details Impact TransactionValidator does not validate gas token address and gas price parameter when validating the transaction Proof of Concept the safe transaction struct is listed below: struct SafeTransactionParams Enum.Operation operation; address from; address to...

Account should be able to add max time it would want its transaction to be executed.

Lines of code Vulnerability details Impact Account is not allowed to specify the expiration time for its request execution, since most request run arbitrary calls, which might be time bound. Proof of Concept Alot of transaction or calls on the blockchain are time bound, lets say for example Alice...

the operators of the sub account can execute any transaction(not restricted by policy ) to a 3rd party without going through the policy validation process by the trustedValidator

Lines of code Vulnerability details Impact this vulnerability will cause the tokens of the sub accounts to be stolen or perform any activity on the subAcoounts without the validation against the policy and will allow the operators to execute transactions that are not restricted by the policy of t...

the function _validateExecutionRequest checks the valid excutor account by the address of account given in call data instead of msg.sender which is realy easily exploitble

Lines of code Vulnerability details Impact the function validateExecutionRequest checks the valid excutor account by the address of account given in call data instead of msg.sender which is realy easily exploitable if you look at the function function validateExecutionRequestExecutionRequest...

Signed data may be usable cross-chain

Lines of code Vulnerability details Impact The function validatePreTransactionOverridable, which Validates a txn on guard before execution, for Brahma console accounts.takes one parameter "txParams" which is of type SafeTransactionParams Struct, if we look at that struct members : struct...

ConsoleFallbackHandler.sol#simulate transaction cannot simulate transaction properly

Lines of code Vulnerability details Impact ConsoleFallbackHandler.sol does not use static call or delegate call Proof of Concept In the function / @dev Performs a delegetecall on a targetContract in the context of self. Internally reverts execution to avoid side effects making it static. Catches...

registerWallet in WalletRegistry missing access control

Lines of code Vulnerability details Impact registerWallet in WalletRegistry missing access control Proof of Concept the wallet can be registered by calling registerWallet / @notice Registers a wallet @dev Can only be called by safe deployer or the wallet itself / function registerWallet external ...

getModulesPaginated does not return the correct data

Lines of code Vulnerability details Impact In ConsoleFallbackHandler, you can call getModules to return the first 10 modules: function getModules external view returns address memory GnosisSafe safe = GnosisSafepayablemsg.sender; address memory array, = safe.getModulesPaginatedSENTINELMODULES, 10...

Console account cannot execute a transaction on a sub account unless it registers itself as an executor

Lines of code Vulnerability details The Executor is an account authorized to make module transactions on a subAccount via ExecutorPlugin. The executor is assigned/registered by the subaccount created by the console account. But the console account itself cannot execute the transaction & is...

Insufficient validation of contracts when setting authorised address.

Lines of code Vulnerability details Impact governance can set Malicious contract as authorised address and since the AddressProvider.sol is a singular source of truth an attacker can craft an exploit to abuse authorizedAddress privileges. Proof of Concept A miniaturised POC is shown below. in the...

Executor can effectively bypass _checkSubAccountSecurityConfig by adding a new Module

Lines of code Vulnerability details Impact An Executor is an account authorized to perform module execution on a subAccount through the ExecutorPlugin. Gnosis Safe Modules manage to bypass the entire guard logic Safe 1.5 has that new guard hook, but there's also no hook logic done in Brahma. For...

Enabled modules after been activated cannot subsequently be disabled

Lines of code Vulnerability details Impact Modules are third party accounts and they have some level of access to the GnosisSafe depending on configuration by the account owner. Therefore, they are created and assigned by account owners and they can execute transactions independently but they...

DoS issue presented in Brahma's latest audit still has potential control flow paths that can lead to same vulnerability

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Following the "ConsoleAccount execTransaction" flow outlined via Brahma's Architecture diagram, as we can see: calling execTransaction calls checkTransaction function on...

There is still a risk that operators or executors can backdoor the subaccount.

Lines of code Vulnerability details Impact The checkSubAccountSecurityConfig function ensures that the guard and fallback handler have not been disabled or updated, and that the owner console as a module has not been disabled by any operators or executors. This helper function is used as a last...

Unauthorized account can update policy of any account without a policy

Lines of code Vulnerability details Impact Unauthorized account can update policy of any account without a policy Proof of Concept if currentCommit == bytes320 && msg.sender == AddressProviderService.getAuthorizedAddressSAFEDEPLOYERHASH The argument passed into getAuthorizedAddress -...

registerWallet() does not validate the sender

Lines of code Vulnerability details Issue registerWallet in WalletRegistry.sol does not guarantee that the sender is the safe deployer. registerWallet should be called from the safe deployer, in the context of deployConsoleAccount // Register Wallet /// @dev This function is being packed as a par...

The same console addresses on other chains can be captured by compromised or malicious owner

Lines of code Vulnerability details Impact The same order of owners addresses lets generate the same console address on all chains. But any owner from the list can deploy console accounts on other chains with threshold parameter equals 1 and then change owners in these accounts, i.e. capture thes...

The WalletRegistry.sol#registerWallet() function can be used to register wallet by anyone.

Lines of code Vulnerability details Impact Anyone can register wallet allowing anyone to set the iswalletmsg.sender to true for themselves allowing them to exploit other functions. Proof of Concept From the comment on the registerWallet function below, the registerWallet function Can only be call...

disallowing the executor to sign the transaction with the expiryEpoch will may allow or prevent the transaction to be executed in a wrong time for the executor, who is the responsible for performing the strategies, and will hamper the automation process

Lines of code Vulnerability details Impact preventing the executor from setting an ExpiryEpoch to the transaction to be executed within it , will lead to hamper the automation process and may allow the transactions to be executed in improper time in which the strategy became invalid which may cau...

ExecutorPlugin.executeTransaction() is prone to cross-chain replay attacks.

Lines of code Vulnerability details The function executeTransaction is used by executors to validate and execute transactions via a module transaction. the function takes in the input ExecutionRequest and does no validation of the msg.sender. therefore this creates an opening in which a malicious...

A malicious actor can Block stuff the chain until the validator signature expires.

Lines of code Vulnerability details Impact The signature of a validator is time bound of which after the expiration period the transaction becomes invalid, a malicious user might notice a time bound transaction made by the sub account and decide to block stuff the network until the validator...

number of txs of excutors must be excutores + 1 but this loop will +1 in every cycle

Lines of code Vulnerability details Impact number of txns of excutors must be excutores + 1 but this loop will +1 in every cycle the code structure is designed the way the number of txns of excutors in enableExecutorPluginOnSubAccount function counts the length of executors txns and it should be...

Resetting a sub-account's guard manually from the Main Console can potentially lead to a permanent denial of service (DoS) for that sub-account.

Lines of code Vulnerability details Impact If the Main Console resets the guard, resets the fallback handler, or disables itself as a module of a sub-account, the executors will permanently cease executing any transactions on that sub-account. And also if the Main Console resets the fallback...

Cross-Chain Signature Replay Attack

Lines of code Vulnerability details Impact 1. User operations can be replayed on smart accounts accross different chains. This can lead to user's loosing funds or any unexpected behaviour that transaction replay attacks usually lead to. 2. Mistakes made on one chain can be re-applied to a new...

Missing payable modifier in ExecutorPlugin.executeTransaction(): Restricts Use of Native Assets (ETH) with Transactions

Lines of code Vulnerability details Impact A registered executor for a submodule cannot send ETH native assets with a transaction because the payable modifier is missing in the executeTransaction function. It's essential to address this issue to ensure full compatibility and functionality for...

No function to remove a subaccount

Lines of code Vulnerability details Impact A subaccount that has been taken over by an attacker can not be removed. Proof of Concept The WalletRegistry.sol contract has a registerSubAccount function but does not have another function that can remove a subAccount in case a subAccount is compromise...

SafeDeployer : calling the function _genNonce would overflow.

Lines of code Vulnerability details Impact Genosis safe account can not be created due to overflow of genNonce Proof of Concept The contract SafeDeployer deploy the Genosys safe account. To this, there are set of function which accomplish this task. First the function deployConsoleAccount will be...

Lack of Input Validation on threshold and _owners

Lines of code Vulnerability details Impact Unvalidated inputs can lead to unexpected contract behaviors, including but not limited to, incorrect configurations, locked funds, or erroneous operations. In extreme cases, it could also lead to security vulnerabilities if malicious actors can exploit...

Protocol's invariants can be broken

Lines of code Vulnerability details Impact Due to insufficient input validation to the inputs of the external function "deploySubAccount" in the SafeDeployer.sol contract,A malcious subAccount wallet can be imported,registered and then take control over other subAccounts. This can cause many...

Nonce is not incremented after using signature for policy validation

Lines of code Vulnerability details Impact Nonce is not incremented after using signature for policy validation Proof of Concept In PolicyValidator.sol there is a function function isPolicySignatureValid address account, address to, uint256 value, bytes memory data, Enum.Operation operation, byte...

No proper validation of Singleton

Lines of code Vulnerability details Bug Description Operators, executors, or the Main Console account can execute transactions on behalf of a SubAccount. SubAccounts must have an enabled SafeModerator guard, which checks whether the guard and handler have not been disabled or updated, and whether...

The _validateExecutionRequest() function does not include a check for expiration signatures.

Lines of code Vulnerability details Impact To maintain validity, user signatures must have an expiration or timestamp deadline. Otherwise, the signature grants the message a "lifetime license." The validateExecutionRequest function needs to include a check for expiration signatures. Otherwise,...