Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

When initializing the Nexus account, registry should be configured before modules are installed

h2134

Summary

Registry should be configured before installing modules when initializing the Nexus account through `Bootstrap`, or the module may never be verified.

Vulnerability Details

Bootstrap provides functionalities to manage the installation of modules into Nexus smart accounts. Users can call initNexusWithSingleValidator() to initialize the Nexus account with a single validator, call initNexus() to initialize the Nexus account with multiple modules and call initNexusScoped() to initialize the Nexus account with a scoped set of modules.

Before the modules are installed, it is expected that the modules are checked by the registry (if any) to to verify the security, as we can see that each installation method (_installValidator() / _installExecutor() / _installHook() / _installFallbackHandler) is guarded by a withRegistry modifier:

The problem is that when the modules are installed through Bootstrap, the registry is configured after the modules are installed, this means that none of the modules are verified by the registry even if they are expected to.

Additionally, according to ERC-7484 Specification, a module must be verified against registry at least once before or during the transaction.

A Smart Account MUST implement the following Adapter functionality either natively in the account or as a module. This Adapter functionality MUST ensure that:

The Registry is queried about module A at least once before or during the transaction in which A is called for the first time.

The Registry reverting is treated as a security risk.

However, the registry is only queried about executor module when executeFromExecutor() is called, other modules are never verified even if there is an registry configured.

function executeFromExecutor(

ExecutionMode mode,

bytes calldata executionCalldata

) external payable onlyExecutorModule withHook withRegistry(msg.sender, MODULE_TYPE_EXECUTOR) returns (bytes[] memory returnData) {

Impact

Modules may never be verified by the registry even for once.

Tools Used

Manual Review

Recommendations

It is recommended to configure registry before installing the modules through Bootstrap.

function initNexusWithSingleValidator(

IModule validator,

bytes calldata data,

IERC7484 registry,

address[] calldata attesters,

uint8 threshold

) external {

+ _configureRegistry(registry, attesters, threshold);

_installValidator(address(validator), data);

- _configureRegistry(registry, attesters, threshold);

}

function initNexus(

BootstrapConfig[] calldata validators,

BootstrapConfig[] calldata executors,

BootstrapConfig calldata hook,

BootstrapConfig[] calldata fallbacks,

IERC7484 registry,

address[] calldata attesters,

uint8 threshold

) external {

+ _configureRegistry(registry, attesters, threshold);

// Initialize validators

for (uint256 i = 0; i < validators.length; i++) {

_installValidator(validators[i].module, validators[i].data);

}

// Initialize executors

for (uint256 i = 0; i < executors.length; i++) {

if (executors[i].module == address(0)) continue;

_installExecutor(executors[i].module, executors[i].data);

}

// Initialize hook

if (hook.module != address(0)) {

_installHook(hook.module, hook.data);

}

// Initialize fallback handlers

for (uint256 i = 0; i < fallbacks.length; i++) {

if (fallbacks[i].module == address(0)) continue;

_installFallbackHandler(fallbacks[i].module, fallbacks[i].data);

}

- _configureRegistry(registry, attesters, threshold);

}

function initNexusScoped(

BootstrapConfig[] calldata validators,

BootstrapConfig calldata hook,

IERC7484 registry,

address[] calldata attesters,

uint8 threshold

) external {

+ _configureRegistry(registry, attesters, threshold);

// Initialize validators

for (uint256 i = 0; i < validators.length; i++) {

_installValidator(validators[i].module, validators[i].data);

}

// Initialize hook

if (hook.module != address(0)) {

_installHook(hook.module, hook.data);

}

- _configureRegistry(registry, attesters, threshold);

}

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-should-registry-configure-before-module-install

Valid high, since a security feature is compromised, I believe this warrants high severity.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.