Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Owner/s can remove all wallet owners #135

Open
c4-bot-10 opened this issue Mar 21, 2024 · 9 comments
Open

Owner/s can remove all wallet owners #135

c4-bot-10 opened this issue Mar 21, 2024 · 9 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-18 grade-a Q-09 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_08_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L102-L110

Vulnerability details

Impact

The current implementation of removing an owner allows a single owner to remove all users even himself from the wallet ownership

Proof of Concept

The following function inherited by the wallet contract allows any owner to remove all (even himself) as a owner

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L102-L110

The POC is added to the RemoveOwnerAtIndex.t.sol tests file :

    function testRemoveAllOwners() public {
        uint256 numOfOwners = mock.nextOwnerIndex();
        // console.log("owners", numOfOwners);

        // @ this call be batched with `CoinbaseSmartWallet#executeBatch`

        // @!! the current calling account must be the last index as a owner to call the following function
        vm.startPrank(owner1Address);
        for (uint256 i = numOfOwners - 1; i> 0; i--) { 
            mock.removeOwnerAtIndex(i);
        }
        vm.stopPrank();
    }

Main points from the POC are:

  1. To remove all the owners the calling (malicious) owner must remove itself as the last one
  2. The entire call can be constructed offline (with ownerAtIndex returning some value) and batched with CoinbaseSmartWallet#executeBatch

Tools Used

Manual review

Recommended Mitigation Steps

Allow the owner to only remove himself from the wallet.

With the current removeOwnerAtIndex removing a address cannot be simply done becouse some owners register them self as an EC point.

The solution would be to create a new function wich uses a signature to verify (like with CoinbaseSmartWallet_validateSignature) that the msg.sender is indeed the right user to remove.

Assessed type

Error
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 21, 2024
c4-bot-10 added a commit that referenced this issue Mar 21, 2024
@c4-bot-10
imare issue #135
e571843
@c4-bot-13 c4-bot-13 added the 🤖_08_group AI based duplicate group recommendation label Mar 21, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 21, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #18

@raymondfam
Copy link

See #18.

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #22

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #181

@c4-judge c4-judge reopened this Mar 27, 2024
@c4-judge
Copy link
Contributor

3docSec marked the issue as not a duplicate

@c4-judge
Copy link
Contributor

3docSec marked the issue as duplicate of #18

@c4-judge c4-judge added duplicate-18 downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 27, 2024
@c4-judge
Copy link
Contributor

3docSec changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

3docSec marked the issue as grade-a

@C4-Staff C4-Staff reopened this Apr 1, 2024
@C4-Staff C4-Staff added the Q-09 label Apr 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-18 grade-a Q-09 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_08_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@raymondfam @c4-judge @c4-pre-sort @C4-Staff @c4-bot-10 @c4-bot-13