Ragnarok - DoS Attack by Malicious Signer in HatsSignerGate

[sherlock-admin3]

Ragnarok

Medium

DoS Attack by Malicious Signer in HatsSignerGate

Summary

Malicious signer, who have already been revoked the signer hat but have not been removed yet, can submit a signature to Safe transaction, resulting in the transaction revert.

Root Cause

In the HatsSignerGate::checkTransaction function have a check to make sure that have enough valid signatures to execute the transaction.

HatsSignerGate::checkTransaction function:

function checkTransaction(
  ...
  bytes memory signatures,
  ...
) public override {
  ...
  // count the number of valid signatures and revert if there aren't enough
=>if (_countValidSignatures(txHash, signatures, threshold) < threshold) revert InsufficientValidSignatures();
}

The _countValidSignatures(txHash, signatures, threshold) < threshold condition will happen when have one signer, who submit one signature in the list signatures, currently is not the wearer of the registered hat and haven't removed yet. As a result, the transaction will revert.

HatsSignerGate::_countValidSignatures function:

function _countValidSignatures(bytes32 dataHash, bytes memory signatures, uint256 sigCount)
  internal
  view
  returns (uint256 validSigCount)
{
  ...
  for (i; i < sigCount; ++i) {
    ...
=>  if (isValidSigner(currentOwner)) {
      unchecked {
        ++validSigCount;
      }
    }
  }
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. Malicious signer, who have already been revoked the signer hat but have not been removed yet, submit a signature to Safe transaction.
2. This cause the HatsSignerGate::checkTransaction function revert and the transaction revert too.

Impact

Malicious signer can DOS the transaction execute until them is removed.

PoC

No response

Mitigation

No response