Non compliance with EIP-4337
Summary
MondrianWallet::validateUserOp does not comply with EIP-4337 specs for validateUserOp.
Vulnerability Details
Quoting EIP-4337:
If the account does not support signature aggregation, it MUST validate the signature is a valid signature of the
userOpHash, and SHOULD returnSIG_VALIDATION_FAILED(and not revert) on signature mismatch. Any other error MUST revert.
The implementation in-hand does not support signature aggregation, therefore it SHOULD return SIG_VALIDATION_FAILED. Instead, it reverts on every signature mismatch.
SIG_VALIDATION_FAILED is declared but not used which indicate the intent to use it, reference.
Quoting EIP-4337 again:
The return value MUST be packed of
authorizer,validUntilandvalidAftertimestamps.
The implementation in-hand only return authorizer e.g. SIG_VALIDATION_SUCCESS which corresponds to 0. reference.
Impact
Non-compliance with EIP-4337.
Tools Used
Manual review.
Recommendations
Refactor the code that is not compliant with the EIP.
Lead Judging Commences
`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.
validationData return MUST be a return composed of `authorizer`, `validUntil` and `validAfter` timestamps
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.