Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

Non compliance with EIP-4337

Summary

MondrianWallet::validateUserOp does not comply with EIP-4337 specs for validateUserOp.

Vulnerability Details

Quoting EIP-4337:

If the account does not support signature aggregation, it MUST validate the signature is a valid signature of the userOpHash, and SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch. Any other error MUST revert.

The implementation in-hand does not support signature aggregation, therefore it SHOULD return SIG_VALIDATION_FAILED. Instead, it reverts on every signature mismatch.
SIG_VALIDATION_FAILED is declared but not used which indicate the intent to use it, reference.

Quoting EIP-4337 again:

The return value MUST be packed of authorizer, validUntil and validAfter timestamps.

The implementation in-hand only return authorizer e.g. SIG_VALIDATION_SUCCESS which corresponds to 0. reference.

Impact

Non-compliance with EIP-4337.

Tools Used

Manual review.

Recommendations

Refactor the code that is not compliant with the EIP.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.

validationData return MUST be a return composed of `authorizer`, `validUntil` and `validAfter` timestamps

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.