Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`K1Validator.sol` won't work on zkSync, as every address is a contract on zkEVM

sammy

Summary

K1Validator.sol won't work on zkSync, as every EOA is a contract on zkEVM

Vulnerability Details

On the zkSync chain, every EOA has some code attached to it, as zkEVM supports native account abstraction.

https://docs.zksync.io/build/developer-reference/account-abstraction/

Therefore, the EOA check in the onInstall() in K1Validator.sol will fail and the call will revert, making it impossible to add a validator to a Nexus account.

function onInstall(bytes calldata data) external {
require(data.length != 0, NoOwnerProvided());
require(!_isInitialized(msg.sender), ModuleAlreadyInitialized());
address newOwner = address(bytes20(data));
@=> require(!_isContract(newOwner), NewOwnerIsContract()); // this will always revert zkSync
smartAccountOwners[msg.sender] = newOwner;
}

Impact

Nexus account won't be able to have any validator on zkSync chain.

Tools Used

Manual Review

Recommendations

Remove this check on zkSync

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-zksync-create-create2-opcode

Valid medium, since there is non-functionality on zkSync (cannot create accounts) since it is stated as follows > Blockchains: > - Ethereum/Any EVM

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.