-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Vulnerability in execTransactionOnBehalf
Function Allowing Destruction of targetSafe
contract
#61
Comments
The scenario proposed would only affect the targetSafe, not the rest of the organization, given that if the command is executed, this safe can be removed ( |
hey @alfredolopez80 ,thank you for response.let's understand this issue in detail. In a typical safe wallet (which does not use the Palmera hierarchical structure), a valid caller can directly call the safe and execute a transaction. This setup is generally trusted because it lacks the complexity of a hierarchical structure, and the permissions are straightforward and easier to manage. However, in the As I mentioned in the issue, any safe with the appropriate role can potentially destroy the targetSafe wallet, which may hold critical assets and more. let's understand this with very short example: Consider a scenario where a caller(any safe who has authorization to execute transacton on behalf), who is in the process of being removed from their position, decides to exploit this vulnerability. They could use their authorization(by frontrunning This would not be possible in a typical safe wallet, where a valid caller can directly call the safe and execute a transaction. |
I agree with you with the potential damage is any safe execute a detelgateCall and self destruct a save but this is real inclusive with you own safe, if you have a safe and call a About the case of any safe Lead authorized!!, for example can take advantace of his role, and selfdestruct the wallet, inclusive can first send all assets (ETH and ERC20), to another wallet under his control, and after loss the role. Finally, I think it is very important that every OnChain organization must be very careful and responsible when assigning these roles and on which safe it applies it!!, because if it does so on people or groups that are capable of executing this type of actions the role scheme is completely distorted |
Github username: --
Twitter username: --
Submission hash (on-chain): 0xcfd1445fe32e3cd61570441481b6861a6508f4873ceb476920c1d26d034eb8a2
Severity: high
Description:
Description
The
execTransactionOnBehalf
function in thePalmeraModule
contract allows certain roles (Safe Lead, Super Safe, Root Safe) to execute transactions on behalf. However, there is a potential vulnerability that can be exploited if theto
address is malicious. Specifically, if the operation is set to Enum.Operation.DelegateCall, a malicious contract at the to address can execute a selfdestruct operation, leading to the destruction of the targetSafe contract. This can severely disrupt the organization by breaking contract modules and halting all transactions.this occur when the one of the caller who is being removed from their position use this exploit and destory the contracts/org.
Attack Scenario\
The execTransactionFromModule function internally calls the execute function:
Delegate Call Vulnerability:
operation is Enum.Operation.DelegateCall, the delegatecall opcode is used.
delegatecall executes code from the to address in the context of the calling contract (targetSafe).
If the to address is a malicious contract containing a selfdestruct operation, it can destroy the targetSafe contract.
Potential Exploit Scenario:
An authorized caller (e.g., Safe Lead, Super Safe, Root Safe) with malicious intent or a compromised account can call execTransactionOnBehalf with a malicious to address.
This can occur when one of the owners or a caller who is being removed from their position front-runs the transaction and destroys the targetSafe contract.
The malicious contract at the to address executes a selfdestruct operation via delegatecall.
This results in the destruction of the targetSafe contract, breaking the organization’s contract modules and halting all transactions.
Example Exploit Code
A malicious contract could look like this:
Attachments
To mitigate this vulnerability, additional checks should be implemented to ensure the to address is not malicious. Specifically, avoid using delegatecall with untrusted addresses
The text was updated successfully, but these errors were encountered: