The signature of the messages is not validated
Summary
The contract defines an internal function MoondrianWallet::_validateSignature which is responsible for validation of the signature of the message. However, this function always returns that the signature is valid.
Vulnerability Details
The function _validateSignature defined in Line 113 of MoondrianWallet.sol always returns SIG_VALIDATION_SUCCESS. The function does not take into the account the result of the execution of the recover function of the Elliptic Curve Digital Signature Algorithm (ECDSA).
Impact
The _validateSignature function is executed by the validateUserOp function of the Account Contract. Thiss function must validate the caller is a trusted EntryPoint. The defined in the MoondrianWallet.sol function will always return that the caller is a trusted which can result in an execution of a malicious operation.
Tools Used
Manual Review
Recommendations
Check the result of the ECDSA.recover execution if it is equal to the owner and return SIG_VALIDATION_FAILED otherwise on Line 120.
Lead Judging Commences
ECDSA.recover should check against sender
`_validateSignature` SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.