Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Bootstrap functions setup the registry after module installation, bypassing the validation checks

adriro

Summary

During initialization, modules are installed before the ERC-7484 Registry is configured, bypassing any validation checks on the installed modules.

Vulnerability Details

The Bootstrap contract provides a set of utility functions to configure the smart account during initialization. These functions mainly install a set of modules and then configure the ERC-7484 Registry. As an example, this is the implementation of initNexusWithSingleValidator(), other functions follow the same behavior.

38: function initNexusWithSingleValidator(

39: IModule validator,

40: bytes calldata data,

41: IERC7484 registry,

42: address[] calldata attesters,

43: uint8 threshold

44: ) external {

45: _installValidator(address(validator), data);

46: _configureRegistry(registry, attesters, threshold);

47: }

The general pattern is first to install modules and then configure the registry. Module installation functions are decorated with the withRegistry modifier, this is for example _installValidator():

207: function _installValidator(address validator, bytes calldata data) internal virtual withRegistry(validator, MODULE_TYPE_VALIDATOR) {

208: if (!IValidator(validator).isModuleType(MODULE_TYPE_VALIDATOR)) revert MismatchModuleTypeId(MODULE_TYPE_VALIDATOR);

209: _getAccountStorage().validators.push(validator);

210: IValidator(validator).onInstall(data);

211: }

The withRegistry modifier enforces the registry validation checks on the module, to ensure the module is trusted.

16: modifier withRegistry(address module, uint256 moduleType) {

17: _checkRegistry(module, moduleType);

18: _;

19: }

...

36: function _checkRegistry(address module, uint256 moduleType) internal view {

37: IERC7484 moduleRegistry = registry;

38: if (address(moduleRegistry) != address(0)) {

39: // this will revert if attestations / threshold are not met

40: moduleRegistry.check(module, moduleType);

41: }

42: }

However, since module installation precedes registry configuration, registry checks are bypassed during installation because the registry address is still unset at this point.

Impact

Module validation checks are bypassed during account bootstrapping.

Tools Used

None.

Recommendations

Invert the order of operations in the functions of the Bootstrap contract, ensuring _configureRegistry() comes before any module installation call.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-should-registry-configure-before-module-install

Valid high, since a security feature is compromised, I believe this warrants high severity.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.