Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defender may not be able to call disableAllMultisigs #404

Closed
code423n4 opened this issue Jan 2, 2023 · 5 comments
Closed

Defender may not be able to call disableAllMultisigs #404

code423n4 opened this issue Jan 2, 2023 · 5 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue fix security (sponsor) Security related fix, should be fixed prior to launch grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/Ocyticus.sol#L55-L66

Vulnerability details

Impact

Ocyticus only have a disableAllMultisigs function, which may revert if the count is too large (due to out of gas). Although the multisig set is currently limited to 10, it might change in the future and there are no clear documentation that the Ocyticus would also need to be redesigned.

https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MultisigManager.sol#L79

	/// @dev There will never be more than 10 total multisigs. If we grow beyond that we will redesign this contract.

Proof of Concept

https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/Ocyticus.sol#L55-L66

	function disableAllMultisigs() public onlyDefender {
		MultisigManager mm = MultisigManager(getContractAddress("MultisigManager"));
		uint256 count = mm.getCount();

		address addr;
		bool enabled;
		for (uint256 i = 0; i < count; i++) {
			(addr, enabled) = mm.getMultisig(i);
			if (enabled) {
				mm.disableMultisig(addr);
			}
		}

Recommended Mitigation Steps

Allow Ocyticus to disable individual multisig
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 2, 2023
code423n4 added a commit that referenced this issue Jan 2, 2023
@code423n4
gzeon issue #404
defb198
C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #404
a45b9d0
@GalloDaSballo
Copy link

Because of clearly defined settings I think this will be invalid, but will flag to Sponsor

@0xju1ie
Copy link

0xju1ie commented Jan 19, 2023

I think if we add #521 then we would have to add this one too but not sure

But as the protocol currently sits I would think this is invalid or QA at best

@0xju1ie 0xju1ie added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) fix security (sponsor) Security related fix, should be fixed prior to launch labels Jan 19, 2023
@GalloDaSballo
Copy link

Per the sponsor's comment, I think the finding is a QA report

L

@c4-judge c4-judge added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax downgraded by judge Judge downgraded the risk level of this issue and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jan 31, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo changed the severity to QA (Quality Assurance)

c4-judge added a commit that referenced this issue Jan 31, 2023
@c4-judge
Q-report created from downgraded finding #404
a383437
@c4-judge c4-judge closed this as completed Feb 8, 2023
@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Feb 8, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 8, 2023

GalloDaSballo marked the issue as grade-c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue fix security (sponsor) Security related fix, should be fixed prior to launch grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@GalloDaSballo @0xju1ie @code423n4 @c4-judge