Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unchecked Threshold Setting in RegistryFactory Contract

akay

Summary

The RegistryFactory contract allows setting of a threshold value without validating it against the number of attesters, which can lead to a non-functional contract state.

Vulnerability Details

In the RegistryFactory contract, the threshold variable is vital for determining the number of attesters required to approve a module. However, the contract lacks proper validation when setting this threshold, both in the constructor and the setThreshold function.

constructor(address implementation_, address owner_, IERC7484 registry_, address[] memory attesters_, uint8 threshold_) Stakeable(owner_) {

// ... other initializations ...

threshold = threshold_;

}

function setThreshold(uint8 newThreshold) external onlyOwner {

threshold = newThreshold;

}

This could lead to a situation where the threshold is higher than the total number of attesters, making it impossible to approve any modules.

Impact

If the threshold is set higher than the number of attesters, it would render the contract non-functional. No modules could be approved, thereby breaking the core functionality of the RegistryFactory. It could also lead to deployed accounts being unusable or the need to redeploy the entire contract.

Tools Used

Manual code review

Recommendations

Implement a check in both the constructor and setThreshold function to ensure the threshold is always less than or equal to the number of attesters:

constructor(address implementation_, address owner_, IERC7484 registry_, address[] memory attesters_, uint8 threshold_) Stakeable(owner_) {

require(threshold_ <= attesters_.length, "Threshold cannot exceed number of attesters");

// ... other initializations ...

threshold = threshold_;

}

function setThreshold(uint8 newThreshold) external onlyOwner {

require(newThreshold <= attesters.length, "Threshold cannot exceed number of attesters");

threshold = newThreshold;

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

finding-centralization-risk

Invalid [known issue [Medium-1]](https://github.com/Cyfrin/2024-07-biconomy/issues/1)

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.