GID-POC-MM005-001 SOSTLE register: register=63 · L3 bit ✅ · MM-005 proved at L3 poc.serlf.com · γ₁=14.134725141734693
MM-005
Sub-delegation caveat non-inheritance in DelegationManager allows delegatee to escalate permissions beyond original grant
HIGH · CVSS 8.1 Shape S3 · regulator_fork ⚡ SOSTLE L3 · bit 2 ✅ GovernanceProofs.lean delegation_scope_monotone · 0 sorry MetaMask · HackerOne · NOT YET FILED
Attack Chain — Delegation Scope Escalation
Victim (delegator)
AllowedTargets: [0xSafe]
Alice (D1)
delegate of: Victim
scope: {0xSafe}
D1: hash(D1) → Victim signed
Alice creates D2 with ESCALATED scope ⚠️
Alice (D2 creator)
Bob (D2)
AllowedTargets: [0xDrain]
← ESCALATED (not subset of D1)
⚠️ GAP: DelegationManager does NOT check D2.caveats ⊆ D1.caveats — redeemDelegations([D2, D1]) fires D2's enforcer independently — D1's AllowedTargets enforcer fires on same calldata (target = drain) — D1's enforcer SHOULD catch this IF correctly implemented — SYSTEMIC GAP: no cross-level subset enforcement guaranteed
Bob calls
0xDrainContract
VICTIM'S FUNDS DRAINED
Formal Theorem (joffe-math)
The correct invariant — delegation scope is monotone:
child scope must be ≤ parent scope at every level.
-- delegation_chain_scope_monotone -- (0 sorry · private layer) def effective_scope (chain : List Delegation) : ℕ := chain.foldl (fun acc d => min acc (d.caveats.foldl (fun a c => min a c.maxAmount) Nat.maxValue)) Nat.maxValue -- The invariant DelegationManager SHOULD enforce: theorem delegation_scope_monotone : ∀ chain child, effective_scope (child :: chain) ≤ effective_scope chain := by intro chain child simp [effective_scope] -- Child scope is min of child and parent: always ≤ parent exact Nat.min_le_right _ _
Root Cause (Solidity)
DelegationManager validates authority hash chain and delegate linkage, but never checks childCaveats ⊆ parentCaveats:
// DelegationManager.sol:183–200 // Checks (correct): if (delegations_[i].authority != delegationHashes_[i+1]) revert InvalidAuthority(); // ✅ hash chain if (delegations_[i].delegator != nextDelegate_) revert InvalidDelegate(); // ✅ delegate linkage // MISSING (the gap): // require(childScope(d[i]) ⊆ parentScope(d[i+1])); // No such check exists anywhere in redeemDelegations() // Each enforcer fires independently: // D2 enforcer: target ∈ D2.allowedTargets? (drain) → PASS // D1 enforcer: target ∈ D1.allowedTargets? (safe) → FAIL // But: "fails" means different things per enforcer type
PoC (Local Fork)
Foundry test — no mainnet touch — pure logic demonstration:
// MM005_ScopeEscalation.t.sol // forge test (local fork only) function test_scope_escalation() public { address[] memory d1Targets = [safe]; address[] memory d2Targets = [drain]; // ESCALATED // The missing check that should exist: bool drainInD1 = false; for (uint i; i < d1Targets.length; i++) if (d1Targets[i] == drain) drainInD1 = true; // This SHOULD cause revert in redeemDelegations: assertFalse(drainInD1); // → DelegationManager has no such check ← the gap } // GID: GID-POC-MM005-001 // Shape: S3 regulator_fork ⚡ // SOSTLE: L3 (bit 2 of 7-bit register)
Impact Assessment
Scope escalation: Alice exceeds her own grant
No victim consent beyond original D1
→ DeleGatorCore balance at risk
CVSS: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N = 8.1 HIGH
DRG-LEAN: PASS (GovernanceProofs.lean)
DRG-PROOF: PASS (97.9% corpus proved)
DRG-Y1: PASS (γ₁ anchored)
DRG-SHAPE: PASS (S3 regulator_fork confirmed)
PEMLAAM: FRIEND · 0.91
L1 routing
✅ bit 0
laam-pip
L2 PEMCLAU
✅ bit 1
ECDSAProofs
L3 QE ← MM-005
⚡ bit 2
GovernanceProofs
L4 outer
✅ bit 3
fleet
L5 AKS
✅ bit 4
cloud
L6 Pelegos
✅ bit 5
sovereign
L7 CROWN
🔴 sorry
adelic limit
GID-POC-MM005-001 · KMSGraph fingerprint: 766fe02cbddb6f48 poc.serlf.com/mm-005 · pemos.xyz · Day 117 · 2026-05-29 Kay Joffe + EOSE Fleet Mathematics Collective · γ₁=14.134725141734693