Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure of signature validation due to renounce of ownership #10

Open
hats-bug-reporter bot opened this issue Jun 21, 2024 · 5 comments
Open

Failure of signature validation due to renounce of ownership #10

hats-bug-reporter bot opened this issue Jun 21, 2024 · 5 comments
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x614eb3d24183cf703374120eac6ed9bd3a62b0b0ba295e9b609450b23948c288
Severity: low

Description:
Description\

AtomWallet.sol has inherited openzeppelin's OwnableUpgradeable.sol contract for owner related functionalities. This also means that renounceOwnership() can be directly called and owner would be set to zero address. This high impact would affect the ``AtomWallet.sol` contract in following way:

    function _validateSignature(UserOperation calldata userOp, bytes32 userOpHash)
        internal
        virtual
        override
        returns (uint256 validationData)
    {
        bytes32 hash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", userOpHash));

        (address recovered,,) = ECDSA.tryRecover(hash, userOp.signature);

@>      if (recovered != owner()) {
            return SIG_VALIDATION_FAILED;
        }

        return 0;
    }

To validated the signature, the above function checks that the recovered address is indeed owner of wallet. However, when renounceOwnership() function is called by wallet owner then the check if (recovered != owner()) { return SIG_VALIDATION_FAILED; would fail and signature would not be validated.

Recommendations
Disable the renounceOwnership() function by overriding it.

NOTE:
This should not be considered centralized risk as the likelihood is low but the impact is very much high so considering the contest, it should be low severtiy.
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Jun 21, 2024
@cgmello cgmello added the wontfix This will not be worked on label Jun 21, 2024
@mihailo-maksa
Copy link
Collaborator

After careful review, we have determined that this issue is not a valid concern for the following reasons:

  1. User Autonomy: The ability to renounce ownership is a feature that allows users to relinquish control over their wallet if they choose to do so. This decision should remain within the user's discretion.
  2. Controlled Impact: When a user renounces ownership, they are aware that the contract's owner address will be set to zero. This is a conscious decision and does not inadvertently compromise the wallet's security or functionality.
  3. Intended Behavior: The _validateSignature function's design is intentional. It ensures that only the owner can validate signatures. If the ownership is renounced, the contract behaves as expected by failing the signature validation, indicating no current owner.

In conclusion, while disabling the renounceOwnership() function might seem beneficial, it undermines user autonomy. Our implementation works as intended, allowing users to make their own choices about ownership. Therefore, this issue is not a valid concern, and we consider it invalid.

@0xRizwan
Copy link

@mihailo-maksa Thanks for the detailed comment.

This is actually a risk associated with users action and it is also not documented in shared Intuition documentation. In addition to above recommendation, i would suggest this issue risk to add in documentation or as a part of disclaimer, additionally, an alert can shown to users at front-end so that everyone including non-technical people can understand it. Therefore, this issue still can be considered as an enhancement or issue can be acknowledged.

@mihailo-maksa mihailo-maksa added the invalid This doesn't seem right label Jun 29, 2024
@mihailo-maksa
Copy link
Collaborator

We understand your concerns, but we really want to emphasize the point that our implementation works as intended, allowing users to make their own choices about ownership. Also, we are planning on implementing the Ownable2StepUpgradeable in AtomWallet instead of OwnableUpgradeable, thus further addressing the security concerns our users might have, while also maintaining the ability to renounce the ownership, which we believe is crucial to our protocol.

@mihailo-maksa mihailo-maksa removed the wontfix This will not be worked on label Jul 4, 2024
@0xRizwan
Copy link

0xRizwan commented Jul 5, 2024

@cgmello Renounce of ownership in both Ownable2StepUpgradeable and OwnableUpgradeable is a single step process so using any of these versions wont fix this issue. This issue brings valid concern for users. I believe if #72 can be considered as an issue then this can be too. Thank you for the discussions on this issue, i respect your decision.

@mihailo-maksa
Copy link
Collaborator

The ability to renounce ownership is intentional and aligns with our design, making this issue invalid. The reason why #72 was accepted is that the fix was actually useful and implemented, whereas this issue does not necessitate a change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cgmello @mihailo-maksa @0xRizwan