Elegant Carbon Nightingale
Medium
Malicious signer, who have already been revoked the signer hat but have not been removed yet, can submit a signature to Safe transaction, resulting in the transaction revert.
In the HatsSignerGate::checkTransaction function have a check to make sure that have enough valid signatures to execute the transaction.
HatsSignerGate::checkTransaction function:
function checkTransaction(
...
bytes memory signatures,
...
) public override {
...
// count the number of valid signatures and revert if there aren't enough
=>if (_countValidSignatures(txHash, signatures, threshold) < threshold) revert InsufficientValidSignatures();
}The _countValidSignatures(txHash, signatures, threshold) < threshold condition will happen when have one signer, who submit one signature in the list signatures, currently is not the wearer of the registered hat and haven't removed yet. As a result, the transaction will revert.
HatsSignerGate::_countValidSignatures function:
function _countValidSignatures(bytes32 dataHash, bytes memory signatures, uint256 sigCount)
internal
view
returns (uint256 validSigCount)
{
...
for (i; i < sigCount; ++i) {
...
=> if (isValidSigner(currentOwner)) {
unchecked {
++validSigCount;
}
}
}
}No response
No response
- Malicious signer, who have already been revoked the signer hat but have not been removed yet, submit a signature to Safe transaction.
- This cause the
HatsSignerGate::checkTransactionfunction revert and the transaction revert too.
Malicious signer can DOS the transaction execute until them is removed.
No response
No response