Relevant github link

https://github.com/Cyfrin/2024-07-Mondrian-Wallet_v2/blob/main/src/MondrianWallet2.sol#L139

Summary

MondrianWallet expects ECDSA signatures, but ZkSync accounts might use non-standard signing methods. Any such accounts won't work with MondrianWallet.

Vulnerability Details

zkSync's account abstraction allows accounts to use custom logic for signing transactions, not just ECDSA signatures. This means accounts using non-standard signing methods won't work with MondrianWallet as it currently relies on ECDSA.

Tools Used

Manual review.

Recommendations

Follow the recommendations in the ZkSync documentation:

1. https://docs.zksync.io/build/quick-start/best-practices.html#gasperpubdatabyte-should-be-taken-into-account-in-development

Use zkSync Era's native account abstraction support for signature validation instead of this [ecrecover] function.
We recommend not relying on the fact that an account has an ECDSA private key, since the account may be governed by multisig and use another signature scheme.

1. https://docs.zksync.io/build/developer-reference/account-abstraction.html

The @openzeppelin/contracts/utils/cryptography/SignatureChecker.sol library provides a way to verify signatures for different account implementations. We strongly encourage you to use this library whenever you need to check that a signature of an account is correct