HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: low
Invalid

`RegistryBootstrap.sol::initNexus()` can be re-initialised due to lack of proper access control

Summary

The initNexus() function in the RegistryBootstrap.sol contract code lacks proper access control mechanisms and can be initialized multiple times. This exposes the contract to potential re-initialization attacks and unauthorized modifications, leading to several critical security risks.

Vulnerability Details

The function initNexus() is designed to initialize various components of the smart contract, such as validators, executors, hooks, and fallback handlers. However, it does not include any access control checks to ensure that only authorized users can call the function, and it lacks mechanisms to prevent re-initialization.

Impact

Impact:

The vulnerability can lead to overwriting existing validators, executors, hooks, and fallback handlers with potentially malicious ones, allowing unauthorized or malicious actions within the smart contract. Re-initializing the registry can undermine security, allowing unauthorized control.

Tools Used

Manual

Recommendations

It is recommended to implement proper access control mechanisms to ensure that only authorized users can call the initNexus function. Additionally, use the initializer modifier to ensure the function can only be called once, or use the onlyOwner modifier if the function needs to be controlled by the contract owner.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

finding-ERC7579-does-not-revert-when-module-installed

Invalid per comments [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L185-L186), with checks implemented [in this contract here](https://github.com/rhinestonewtf/sentinellist/blob/main/src/SentinelList.sol)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.