Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Fallback handler is missing authorization control

adriro

Summary

The Nexus smart account fails to implement access control in the fallback() function used to redirect calls to fallback handlers.

Vulnerability Details

The fallback() function is in charge of routing calls to installed fallback handler modules.

072: fallback() external payable override(Receiver) receiverFallback {
073: FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];
074: address handler = $fallbackHandler.handler;
075: CallType calltype = $fallbackHandler.calltype;
076: require(handler != address(0), MissingFallbackHandler(msg.sig));
077:
078: if (calltype == CALLTYPE_STATIC) {
079: assembly {
080: calldatacopy(0, 0, calldatasize())
081:
082: // The msg.sender address is shifted to the left by 12 bytes to remove the padding
083: // Then the address without padding is stored right after the calldata
084: mstore(calldatasize(), shl(96, caller()))
085:
086: if iszero(staticcall(gas(), handler, 0, add(calldatasize(), 20), 0, 0)) {
087: returndatacopy(0, 0, returndatasize())
088: revert(0, returndatasize())
089: }
090: returndatacopy(0, 0, returndatasize())
091: return(0, returndatasize())
092: }
093: }
094: if (calltype == CALLTYPE_SINGLE) {
095: assembly {
096: calldatacopy(0, 0, calldatasize())
097:
098: // The msg.sender address is shifted to the left by 12 bytes to remove the padding
099: // Then the address without padding is stored right after the calldata
100: mstore(calldatasize(), shl(96, caller()))
101:
102: if iszero(call(gas(), handler, 0, 0, add(calldatasize(), 20), 0, 0)) {
103: returndatacopy(0, 0, returndatasize())
104: revert(0, returndatasize())
105: }
106: returndatacopy(0, 0, returndatasize())
107: return(0, returndatasize())
108: }
109: }
110: }

As we can see in the implementation, the function doesn't implement any type of access control. Anyone would be able to execute direct calls to the smart account in order to trigger any of the installed fallback handlers.

Note that this is an explicit requirement by the ERC-7579 standard, the account MUST implement access control.

Smart accounts MAY implement a fallback function that forwards the call to a fallback handler.
If the smart account has a fallback handler installed, it:

  • MUST implement authorization control

Impact

Anyone can arbitrarily execute fallback handlers on the Nexus smart account.

Tools Used

None.

Recommendations

Implement authorization control as required by the standard. This could be added when the call could have side effects, i.e. when calltype == CALLTYPE_SINGLE.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-fallback-missing-access-control-module-manager

There is indeed no access control within `fallback()` function which violates ERC7579 spec but the impact shown by all issues is insufficient. Need a better impact description/PoC that exceeds violation of ERC7579 to raise the severity of this issue. There will likely be no exploit for staticcall types, given there is not [state change/funds transfer allowed](https://www.rareskills.io/post/solidity-staticcall), so the possible vulnerability would be in the `CALLTYPE_SINGLE`. If no sufficient proof is provided to show a possible exploit, I will likely invalidate these issues.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.