Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Fallback handlers can't be installed due to the restricted selector onInstall, will lead to loss of funds

sancybars

Summary

Fallback handlers manage transactions that do not match any predefined function signatures or encounter errors during execution. They ensure that the smart account can gracefully handle unexpected conditions and provide a mechanism for recovering from errors.

However when installing the fallback module it reverts due to the restricted selector onInstall

Vulnerability Details

// Initialize fallback handlers

for (uint256 i = 0; i < fallbacks.length; i++) {

if (fallbacks[i].module == address(0)) continue;

_installFallbackHandler(fallbacks[i].module, fallbacks[i].data);

}

_InstallFallbackHandler iis invoked in the moduleManagerto install the fallback

function _installFallbackHandler(address handler, bytes calldata params) internal virtual withRegistry(handler, MODULE_TYPE_FALLBACK) {

if (!IFallback(handler).isModuleType(MODULE_TYPE_FALLBACK)) revert MismatchModuleTypeId(MODULE_TYPE_FALLBACK);

// Extract the function selector from the provided parameters.

bytes4 selector = bytes4(params[0:4]);

// Extract the call type from the provided parameters.

CallType calltype = CallType.wrap(bytes1(params[4]));

// Extract the initialization data from the provided parameters.

bytes memory initData = params[5:];

// Revert if the selector is either `onInstall(bytes)` (0x6d61fe70) or `onUninstall(bytes)` (0x8a91b0e3).

// These selectors are explicitly forbidden to prevent security vulnerabilities.

// Allowing these selectors would enable unauthorized users to uninstall and reinstall critical modules.

// If a validator module is uninstalled and reinstalled without proper authorization, it can compromise

// the account's security and integrity. By restricting these selectors, we ensure that the fallback handler

// cannot be manipulated to disrupt the expected behavior and security of the account.

require(!(selector == bytes4(0x6d61fe70) || selector == bytes4(0x8a91b0e3)), FallbackSelectorForbidden());

// Revert if a fallback handler is already installed for the given selector.

// This check ensures that we do not overwrite an existing fallback handler, which could lead to unexpected behavior.

require(!_isFallbackHandlerInstalled(selector), FallbackAlreadyInstalledForSelector(selector));

// Store the fallback handler and its call type in the account storage.

// This maps the function selector to the specified fallback handler and call type.

_getAccountStorage().fallbacks[selector] = FallbackHandler(handler, calltype);

// Invoke the `onInstall` function of the fallback handler with the provided initialization data.

// This step allows the fallback handler to perform any necessary setup or initialization.

IFallback(handler).onInstall(initData);

}

As stated in the function comments

//Revert if the selector is either `onInstall(bytes)` (0x6d61fe70) or `onUninstall(bytes)` (0x8a91b0e3).

// These selectors are explicitly forbidden to prevent security vulnerabilities.

// Allowing these selectors would enable unauthorized users to uninstall and reinstall critical modules.

// If a validator module is uninstalled and reinstalled without proper authorization, it can compromise

// the account's security and integrity. By restricting these selectors, we ensure that the fallback handler

// cannot be manipulated to /disrupt the expected behavior and security of the account.

require(!(selector == bytes4(0x6d61fe70) || selector == bytes4(0x8a91b0e3)), FallbackSelectorForbidden());

This will revert any call made to the handlers to install a new fallback, the call made to the handler requires the onInstall selector which is clearly rejected, the installation will halt.

IFallback(handler).onInstall(initData)

Impact

Users won't be able to use the fallback to handle transactions that do not match any functions this can lead to loss of funds in cases where eth is sent directly to the account, without the fallback the account won't know what to do and the eth will remain locked.

Tools Used

Manual review

Recommendations

Allow initial installations for new accounts by default , then restrict removing them

Updates

Lead Judging Commences

0xnevi Lead Judge

12 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.