Summary

MondrianWallet2 expects ECDSA signatures during signature verification, but ZkSync accounts might use non-standard signing methods. Any such accounts won't work with MondrianWallet2

Vulnerability Details

zkSync's account abstraction allows accounts to use custom logic for signing transactions, not just ECDSA signatures. This means accounts using non-standard signing methods won't work with MondrianWallet2 as it currently relies on ECDSA for signature verification.

Tools Used

Manual review.

Recommendations

Follow the recommendations in the ZkSync documentation:

1. https://docs.zksync.io/build/quick-start/best-practices.html#gasperpubdatabyte-should-be-taken-into-account-in-development

Use zkSync Era's native account abstraction support for signature validation instead of this [ecrecover] function.
We recommend not relying on the fact that an account has an ECDSA private key, since the account may be governed by multisig and use another signature scheme.

1. https://docs.zksync.io/build/developer-reference/account-abstraction.html

The @openzeppelin/contracts/utils/cryptography/SignatureChecker.sol library provides a way to verify signatures for different account implementations. We strongly encourage you to use this library whenever you need to check that a signature of an account is correct

1. https://docs.zksync.io/build/developer-reference/account-abstraction/building-smart-accounts

For smart wallets, we highly encourage the implementation of the EIP1271 signature-validation scheme. This standard is endorsed by the ZKsync team and is integral to our signature-verification library.