-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Owner/s can remove all wallet owners #135
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-18
grade-a
Q-09
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_08_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Comments
raymondfam marked the issue as sufficient quality report |
raymondfam marked the issue as duplicate of #18 |
See #18. |
raymondfam marked the issue as duplicate of #22 |
raymondfam marked the issue as duplicate of #181 |
3docSec marked the issue as not a duplicate |
3docSec marked the issue as duplicate of #18 |
3docSec changed the severity to QA (Quality Assurance) |
3docSec marked the issue as grade-a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-18
grade-a
Q-09
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_08_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L102-L110
Vulnerability details
Impact
The current implementation of removing an owner allows a single owner to remove all users even himself from the wallet ownership
Proof of Concept
The following function inherited by the wallet contract allows any owner to remove all (even himself) as a owner
https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L102-L110
The POC is added to the
RemoveOwnerAtIndex.t.sol
tests file :Main points from the POC are:
ownerAtIndex
returning some value) and batched withCoinbaseSmartWallet#executeBatch
Tools Used
Manual review
Recommended Mitigation Steps
Allow the owner to only remove himself from the wallet.
With the current
removeOwnerAtIndex
removing a address cannot be simply done becouse some owners register them self as an EC point.The solution would be to create a new function wich uses a signature to verify (like with
CoinbaseSmartWallet_validateSignature
) that the msg.sender is indeed the right user to remove.Assessed type
Error
The text was updated successfully, but these errors were encountered: