Dizzy Tan Parakeet
Medium
When claimableFor is set to true, an attacker can register new Hats for any legitimate signer, allowing them to abuse the Safe’s signature permissions by calling claimSignerFor or claimSignersFor.
In the HatsSignerGate contract, when claimableFor is set to true, there is no restriction on the caller of claimSignerFor or claimSignersFor, enabling arbitrary users to exploit these methods.
The contract variable claimableFor is set to true. The signer _signer must wear a valid Hat (validated via HATS.isWearerOfHat). The current Safe signature threshold is met (validated by _getRequiredValidSignatures).
Call claimSignerFor or claimSignersFor to register a new Hat for any signer.
The attacker calls claimSignerFor(_hatId, _signer) with a valid signer’s address _signer and Hat ID _hatId. The contract invokes _registerSigner, validating the signer’s ownership of the specified Hat. The contract adds the signer to the Safe via _addSigner. The attacker repeats the process to register multiple Hats and signers.
Affected Party: Safe Signers In this attack path, the Safe’s signature permissions are compromised. Potential risks:
The attacker could register excessive signers, reducing the overall security of the Safe. Malicious registrations could alter threshold configurations, disrupting transaction approval flows.
// SPDX-License-Identifier: MIT pragma solidity ^0.8.0;
contract Exploit { function exploit(address hsg, uint256 hatId, address signer) public { HatsSignerGate(hsg).claimSignerFor(hatId, signer); } }
Add access control to claimSignerFor and claimSignersFor to limit their usage to specific roles. Implement a whitelist mechanism to restrict which signers can be registered.