Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exceeding Maximum Owner Limit in Smart Wallet Initialization #64

Open
c4-bot-7 opened this issue Mar 20, 2024 · 9 comments
Open

Exceeding Maximum Owner Limit in Smart Wallet Initialization #64

c4-bot-7 opened this issue Mar 20, 2024 · 9 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates Q-20 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@c4-bot-7
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L162-L174

Vulnerability details

Summary

According to Coinbase Docs:

Our smart wallet supports up to 256 concurrent owners. Each owner can transact independently, without sign off from any other owner.

However, the _initializeOwners() function lack this check for the maximum number of owners allowed by the smart wallet, which is stated to be 256 concurrent owners.

Proof of Concept

    function _initializeOwners(bytes[] memory owners) internal virtual {
        for (uint256 i; i < owners.length; i++) {
            if (owners[i].length != 32 && owners[i].length != 64) {
                revert InvalidOwnerBytesLength(owners[i]);
            }


            if (owners[i].length == 32 && uint256(bytes32(owners[i])) > type(uint160).max) {
                revert InvalidEthereumAddressOwner(owners[i]);
            }


            _addOwnerAtIndex(owners[i], _getMultiOwnableStorage().nextOwnerIndex++);
        }
    }

The function iterates over the owners array and adds each owner without verifying if the total number of owners exceeds this limit.

Impact

This could potentially allow more than 256 owners to be added, which contradicts the stated contract documentation and could lead to unexpected behavior or security issues.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a check at the beginning of the function to ensure that the number of owners being added does not exceed the maximum limit.

Here's how you could modify the function to include this check:

function _initializeOwners(bytes[] memory owners) internal virtual {
    require(owners.length <= 256, "Too many owners"); // @audit Check for max limit
    for (uint256 i; i < owners.length; i++) {
        if (owners[i].length != 32 && owners[i].length != 64) {
            revert InvalidOwnerBytesLength(owners[i]);
        }

        if (owners[i].length == 32 && uint256(bytes32(owners[i])) > type(uint160).max) {
            revert InvalidEthereumAddressOwner(owners[i]);
        }

        _addOwnerAtIndex(owners[i], _getMultiOwnableStorage().nextOwnerIndex++);
    }
}

Assessed type

Other
@c4-bot-7 c4-bot-7 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 20, 2024
c4-bot-5 added a commit that referenced this issue Mar 20, 2024
@c4-bot-5
Tigerfrake issue #64
62cd715
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 22, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Mar 22, 2024
@raymondfam
Copy link

No intended cap in place indeed.

@raymondfam raymondfam mentioned this issue Mar 24, 2024
Open
@c4-sponsor
Copy link

wilsoncusack marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Mar 26, 2024
@wilsoncusack
Copy link

This is just a case of NatSpec being out of date. MultiOwnable is no longer constrained to 256 owners. Will fix

@c4-sponsor
Copy link

wilsoncusack (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Mar 26, 2024
@3docSec
Copy link

3docSec commented Mar 27, 2024

The 256 owners limit check is indeed nowhere to be found. However, since there is no clear impact, we should treat this finding as QA (protocol not behaving as of spec).

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 27, 2024
@c4-judge
Copy link
Contributor

3docSec changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

3docSec marked the issue as grade-a

@C4-Staff C4-Staff added the Q-20 label Apr 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates Q-20 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@wilsoncusack @raymondfam @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff @c4-bot-7 @3docSec