Submitted on Dec 4th 2023 at 11:54:01 UTC by @copperscrewer for Boost | DeGate
Report ID: #26516
Report type: Smart Contract
Report severity: Insight
Target: https://etherscan.io/address/0x2028834B2c0A36A918c10937EeA71BE4f932da52#code
Impacts:
- Multisig Contract can rendered unusable
Gnosis multisig, has 6 owners and 4 required signatures In the event of removing two owners, There would be 4 owners and 4 required signatures. If replaceOwner was done with the zero address, The required signatures will stay to be 4 while an Owner becomes the 0 address leading to an unusable Gnosis multisig Contract
Gnosis Multisig cannot execute any transaction, cannot add, remove Owners as the contract becomes unusable
Difficulty to Exploit: Easy Weakness: CVSS2 Score: Overall CVSS Score 6.9
Add a notNull modifier to replaceOwner
As we are testing the Gnosis Multisig, that works independently to the L2 contracts, we can test just this contract while replicating the Owners and required state.
Create an empty folder.
npx hardhat init
To create a project with directories like contracts, test
copy paste contract code from https://etherscan.io/address/0x2028834B2c0A36A918c10937EeA71BE4f932da52?utm_source=immunefi#code
to gnosis.sol in contracts folder
change compiler version or directly paste this in module exports in hardhat config.js
This is done since the Gnosis multisig contract uses an old version of solidity
solidity: { compilers: [ { version: "0.4.22", }, { version: "0.8.19", settings: {}, }, ], },
paste following test script in test folder
const {ethers} = require("hardhat")
const {expect, assert} = require("chai")
var gnosis
let owners, deployer
describe("ReplaceOwner bug", function()
{
before(async function(){
owners = (await ethers.getSigners()).slice(0,6)
deployer = owners[0]
})
context("Setup Contract (4/6 multisig) ", () => {
it("Should deploy with 6 owners, 4 required ", async function(){
let gnosisF = await ethers.getContractFactory("MultiSigWallet", deployer)
gnosis = await gnosisF.deploy(
owners,
4
);
expect(await gnosis.required()).to.eq(4);
expect( (await gnosis.getOwners() ).length).to.eq(6);
})
})
context("Bug proof of concept", () => {
it("Should remove two owners", async function(){
let ABI = [
"function transfer(address to, uint amount)",
"function removeOwner(address owner)"
];
let iface = new ethers.Interface(ABI);
data = iface.encodeFunctionData("removeOwner", [ owners[owners.length - 1].address, ] )
//one owner proposes an action through submitTransaction and the others
//adhere through confirmTransaction
// remove one owner [CODE START]
await gnosis.submitTransaction(
await gnosis.getAddress(), //destination
0, //value
data //data
)
for( i=1; i<=3; i++)
{
signer = owners[i];
await gnosis.connect(signer).confirmTransaction(
0 //transaction id
);
}
expect((await gnosis.getOwners()).length).to.eq(5)
// remove one owner [CODE END]
// remove another owner [CODE START]
data = iface.encodeFunctionData("removeOwner", [ owners[owners.length - 2].address, ] )
await gnosis.submitTransaction(
await gnosis.getAddress(), //destination
0, //value
data //data
)
for( i=1; i<=3; i++)
{
signer = owners[i];
await gnosis.connect(signer).confirmTransaction(
1 //transaction id
);
}
expect((await gnosis.getOwners()).length).to.eq(4)
// remove another owner [CODE END]
})
it("Should replace an Owner with zero address", async function(){
let ABI = [
"function transfer(address to, uint amount)",
"function replaceOwner(address owner, address newOwner)"
];
let iface = new ethers.Interface(ABI);
data = iface.encodeFunctionData("replaceOwner", [ owners[2].address, '0x0000000000000000000000000000000000000000'] )
await gnosis.submitTransaction(
await gnosis.getAddress(), //destination
0, //value
data //data
)
for( i=1; i<=3; i++)
{
signer = owners[i];
await gnosis.connect(signer).confirmTransaction(
2 //transaction id
);
}
expect(await gnosis.required()).to.eq(4);
expect((await gnosis.getOwners()).length).to.eq(4);
console.log("Owners are ", await gnosis.getOwners() );
console.log("Required amount of signatures are ", await gnosis.required() );
})
})
})