Elegant Carbon Nightingale
Medium
Iterating over an unbounded array in the HatsSignerGate::_removeSigner function can cause the function to fail.
The HatsSignerGate::_removeSigner function calls SafeManagerLib::findPrevOwner to identify the previous signer of the signer to be removed. However, the _owners array parameter is unbounded. If the array is too large, this iteration may exceed the gas limit, causing the transaction to revert.
HatsSignerGate::_removeSigner function:
function _removeSigner(address _signer) internal {
...
if (owners.length == 1) {
removeOwnerData = SafeManagerLib.encodeSwapOwnerAction(SafeManagerLib.SENTINELS, _signer, address(this));
} else {
uint256 newThreshold = _getNewThreshold(owners.length - 1);
=> removeOwnerData = SafeManagerLib.encodeRemoveOwnerAction(SafeManagerLib.findPrevOwner(owners, _signer), _signer, newThreshold);
}
s.execSafeTransactionFromHSG(removeOwnerData);
}Failure of the HatsSignerGate::_removeSigner function results in the inability to remove signers