docs: enhance fallback handler documentation in Safe.sol and IFallbackManager.sol (#879)

mmv08 · web-flow · commit c6cd4b9b0e5f · 2025-01-09T16:37:14.000+01:00
Updated the documentation for the fallback handler in both `Safe.sol`
and `IFallbackManager.sol` to improve clarity and highlight security
risks associated with setting the fallback handler. Added a warning
about the potential for bypassing access control mechanisms when using
untrusted addresses.
diff --git a/contracts/Safe.sol b/contracts/Safe.sol
@@ -28,7 +28,7 @@ import {Enum} from "./libraries/Enum.sol";
  *          1. Transaction Guard: managed in `GuardManager` for transactions executed with `execTransaction`.
  *          2. Module Guard: managed in `ModuleManager` for transactions executed with `execTransactionFromModule`
  *      - Modules: Modules are contracts that can be used to extend the write functionality of a Safe. Managed in `ModuleManager`.
- *      - Fallback: Fallback handler is a contract that can provide additional read-only functionality for Safe. Managed in `FallbackManager`.
+ *      - Fallback: Fallback handler is a contract that can provide additional functionality for Safe. Managed in `FallbackManager`. Please read the security risks in the `IFallbackManager` interface.
  *      Note: This version of the implementation contract doesn't emit events for the sake of gas efficiency and therefore requires a tracing node for indexing/
  *      For the events-based implementation see `SafeL2.sol`.
  * @author Stefan George - @Georgi87
diff --git a/contracts/interfaces/IFallbackManager.sol b/contracts/interfaces/IFallbackManager.sol
@@ -10,9 +10,12 @@ interface IFallbackManager {
 
     /**
      * @notice Set Fallback Handler to `handler` for the Safe.
-     * @dev Only fallback calls without value and with data will be forwarded.
-     *      This can only be done via a Safe transaction.
-     *      Cannot be set to the Safe itself.
+     * @dev 1. Only fallback calls without value and with data will be forwarded.
+     *      2. Changing the fallback handler can only be done via a Safe transaction.
+     *      3. Cannot be set to the Safe itself.
+     *      4. IMPORTANT! SECURITY RISK! The fallback handler can be set to any address and all the calls will be forwarded to it,
+     *         bypassing all the Safe's access control mechanisms. When setting the fallback handler, make sure to check the address
+     *         is a trusted contract and if it supports state changes, it implements the necessary checks.
      * @param handler contract to handle fallback calls.
      */
     function setFallbackHandler(address handler) external;
