Radiant Neon Osprey
Medium
- setUp contract using exist safe wallet not enable HSG as guard and module, which break invariants in the
Detailspage
setUp contract using exist safe wallet instead of create a new safe wallet
1.using exsit safe wallet
2.add getStorageAt function to ISafe interface
No response
No response
1.break the invariants
From the detail we can see the invariants: https://audits.sherlock.xyz/contests/614?filter=questions
HSG should always be the guard of the safe (except when detaching itself) HSG should always be enabled as a module of the safe (except when detaching itself)
However when using an exist safe wallet the guard and module is not checked during setUp https://github.com/sherlock-audit/2024-11-hats-protocol/blob/main/hats-zodiac/src/HatsSignerGate.sol#L160-L199
Test:
function test_setUp_Exist_Safe() public {
super.setUp();
// create the instance deployer
DeployInstance instanceDeployer = new DeployInstance();
address[] memory owners = new address[](1);
owners[0] = address(this);
ISafe safeExist = _deploySafe(owners,1,1);
// set up the deployment with the same parameters as the existing HSG (except for the nonce)
instanceDeployer.prepare1(
address(implementationHSG),
ownerHat,
signerHats,
thresholdConfig,
address(safeExist),
false,
false,
address(0), // no guard
new address[](0) // no modules
);
instanceDeployer.prepare2(true, 1);
// deploy the instance
newHSG = instanceDeployer.run();
bytes memory currentGuard = safeExist.getStorageAt(uint256(keccak256("guard_manager.guard.address")),1);
console2.log(abi.decode(currentGuard, (address)));
}out:
[PASS] test_setUp_Exist_Safe() (gas: 20246156)
Logs:
0x0000000000000000000000000000000000000000
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.21s (1.59s CPU time)
Ran 1 test suite in 3.21s (3.21s CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)From above output we can see current the address of guard is zero
Checking if the exist safe already set HSG as guard and module