Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Discrepancy in Module Installation Between Nexus.sol and ModuleManager.sol

eta

Summary

There is a discrepancy between the installModule function in the Nexus.sol contract and the _installModule function in the ModuleManager.sol contract regarding the types of modules they support. The Nexus.sol contract's notice for installModule lists four types of modules, while the ModuleManager.sol contract's notice for _installModule lists five types. This oversight can cause confusion and potentially limit functionality.

Vulnerability Details

The installModule function in the Nexus.sol contract is designed to call the _installModule function in the ModuleManager.sol contract to install various modules. The notice in the Nexus.sol contract specifies that four types of modules can be installed: Validator, Executor, Fallback, and Hook. However, the notice in the ModuleManager.sol contract specifies that five types of modules can be installed: MultiType, Validator, Executor, Fallback, and Hook. The Nexus.sol contract's installModule function omits the MultiType module from its notice, leading to an inconsistency.
Nexus::installModule

/// @notice Installs a new module to the smart account.
/// @param moduleTypeId The type identifier of the module being installed, which determines its role:
/// - 1 for Validator
/// - 2 for Executor
/// - 3 for Fallback
/// - 4 for Hook
/// @param module The address of the module to install.
/// @param initData Initialization data for the module.
/// @dev This function can only be called by the EntryPoint or the account itself for security reasons.
function installModule(uint256 moduleTypeId, address module, bytes calldata initData) external payable onlyEntryPointOrSelf {
_installModule(moduleTypeId, module, initData);
emit ModuleInstalled(moduleTypeId, module);
}

ModuleManager::_installModule

/// @notice Installs a new module to the smart account.
/// @param moduleTypeId The type identifier of the module being installed, which determines its role:
/// - 0 for MultiType
/// - 1 for Validator
/// - 2 for Executor
/// - 3 for Fallback
/// - 4 for Hook
/// @param module The address of the module to install.
/// @param initData Initialization data for the module.
/// @dev This function goes through hook checks via withHook modifier.
/// @dev No need to check that the module is already installed, as this check is done
/// when trying to sstore the module in an appropriate SentinelList
function _installModule(uint256 moduleTypeId, address module, bytes calldata initData) internal withHook {
if (module == address(0)) revert ModuleAddressCanNotBeZero();
if (moduleTypeId == MODULE_TYPE_VALIDATOR) {
_installValidator(module, initData);
} else if (moduleTypeId == MODULE_TYPE_EXECUTOR) {
_installExecutor(module, initData);
} else if (moduleTypeId == MODULE_TYPE_FALLBACK) {
_installFallbackHandler(module, initData);
} else if (moduleTypeId == MODULE_TYPE_HOOK) {
_installHook(module, initData);
} else if (moduleTypeId == MODULE_TYPE_MULTI) {
_multiTypeInstall(module, initData);
} else {
revert InvalidModuleTypeId(moduleTypeId);
}
}

Impact

This discrepancy can lead to ambiguity and confusion for developers and users interacting with the Nexus.sol contract. They might be unaware that the installModule function can also handle MultiType modules, potentially limiting the functionality and flexibility of the contract. It may also lead to incorrect assumptions about the capabilities of the installModule function, causing potential integration issues.

Tools Used

Manual Review

Recommendations

To resolve this issue and avoid any confusion, it is recommended to update the notice in the Nexus.sol contract's installModule function to include the MultiType module. This will ensure consistency with the _installModule function in the ModuleManager.sol contract and provide clear information about all the supported module types.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.