-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any owner can fully control the smart wallet. #115
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-18
grade-a
Q-11
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_08_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Comments
raymondfam marked the issue as sufficient quality report |
raymondfam marked the issue as duplicate of #18 |
See #18. |
raymondfam marked the issue as duplicate of #22 |
raymondfam marked the issue as duplicate of #181 |
3docSec marked the issue as not a duplicate |
3docSec marked the issue as duplicate of #18 |
3docSec changed the severity to QA (Quality Assurance) |
3docSec marked the issue as grade-a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-18
grade-a
Q-11
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_08_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/CoinbaseSmartWallet.sol#L189-L212
Vulnerability details
Impact
Every owner of the smart wallet can add or remove other owners to/from the smart wallet, and can also remove all owners from the smart wallet.
Proof of Concept
Owners can interact with the smart wallet with the
UserOperation
and also can interact directly usingexecute
andexecuteBatch
function of theCoinbaseSmartWallet
.https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/CoinbaseSmartWallet.sol#L189-L212
_call(target, value, data)
allows any owner can do any operation usingCoinbaseSmartWallet
.So, malicious owner can call this
_call
function to add or remove the owners of theCoinbaseSmartWallet
.And all of the asset and operations of the
CoinbaseSmartWallet
can be managed by any ower.So it have the same vulnerabilities of the traditional EOA.
Tools Used
Manual review
Recommended Mitigation Steps
Add the additional sercurity functions to prevent the traditional vulnerabilities.
And restrict the permission to add or remove the owners.
Assessed type
Other
The text was updated successfully, but these errors were encountered: