Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

K1ValidatorFactory can be grief attacked by malicious user leading to the factory be throttled/banned

h2134

Summary

K1ValidatorFactory can be grief attacked by malicious user leading to the factory be throttled/banned, due to that the error thrown by onInstall() function in K1_VALIDATOR is not properly handled.

Vulnerability Details

K1ValidatorFactory manages the creation of Modular Smart Accounts compliant with ERC-7579 and ERC-4337 using a K1 validator, when createAccount() is called to create a Nexus account, K1_VALIDATOR is used as validator configuration to generate bootstrap data.

// Create the validator configuration using the Bootstrap library
BootstrapConfig memory validator = BootstrapLib.createSingleConfig(K1_VALIDATOR, abi.encodePacked(eoaOwner));
bytes memory initData = BOOTSTRAPPER.getInitNexusWithSingleValidatorCalldata(validator, REGISTRY, attesters, threshold);

Then the newly created Nexus account is to be initialized and the K1_VALIDATOR is installed in onInstall() function:

function onInstall(bytes calldata data) external {
require(data.length != 0, NoOwnerProvided());
require(!_isInitialized(msg.sender), ModuleAlreadyInitialized());
address newOwner = address(bytes20(data));
@> require(!_isContract(newOwner), NewOwnerIsContract());
smartAccountOwners[msg.sender] = newOwner;
}

Please notice that it requires the account owner is EOA or the transaction will be reverted. A malicious user can submit a userOp to create a Nexus account with a pre-calculated owner address through K1ValidatorFactory, this userOp will pass bundler simulation and validation loop.

However, before the bundler runs debug_traceCall and includes the transaction in a block, the malicious can front-run to deploy a contract on the owner address by using CREATE2. As a result, the `debug_traceCall` call will fail, and according to ERC-4337 Specification, K1ValidatorFactory will be issued a 'ban', the the factory's reputation is decreased and it may be eventually be throttled/banned.

If the error is caused by a factory or a paymaster, and the sender of the UserOp is not a staked entity, then issue a “ban” (see “Reputation, throttling and banning”) for the guilty factory or paymaster.

Likewise, BiconomyMetaFactory may also be throttled/banned if the malicious user calls deployWithFactory() to exploit.

function deployWithFactory(address factory, bytes calldata factoryData) external payable returns (address payable createdAccount) {
require(factoryWhitelist[address(factory)], FactoryNotWhitelisted());
(bool success, bytes memory returnData) = factory.call(factoryData);
// Check if the call was successful
@> require(success, CallToDeployWithFactoryFailed());
// Decode the returned address
assembly {
createdAccount := mload(add(returnData, 0x20))
}
}

Impact

K1ValidatorFactory can be throttled/banned.

Tools Used

Manual Review

Recommendations

When K1 validator is installed, do not revert but return early if EOA check is fail.

function onInstall(bytes calldata data) external {
require(data.length != 0, NoOwnerProvided());
require(!_isInitialized(msg.sender), ModuleAlreadyInitialized());
address newOwner = address(bytes20(data));
- require(!_isContract(newOwner), NewOwnerIsContract());
+ if !_isContract(newOwner) return;
smartAccountOwners[msg.sender] = newOwner;
}
Updates

Lead Judging Commences

0xnevi Lead Judge
12 months ago
0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.