Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

solady handler prevents module extensibility for ERC721 and ERC1155 callbacks

adriro

Summary

The receiverFallback modifier from the solady library acts as a default handler for ERC721 and ERC1155 callbacks, limiting further extensibility via modules.

Vulnerability Details

The fallback() implementation in the ModuleManager contract is in charge of delegating calls to the installed fallback handler based on the function signature. The function overrides the implementation of the Receiver contract from the solady library, but still decorates it with the receiverFallback modifier:

72: fallback() external payable override(Receiver) receiverFallback {

73: FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];

74: address handler = $fallbackHandler.handler;

75: CallType calltype = $fallbackHandler.calltype;

76: require(handler != address(0), MissingFallbackHandler(msg.sig));

The receiverFallback modifier from the solady library deals with the common callbacks for ERC721 and ERC1155 tokens.

18: /// @dev Modifier for the fallback function to handle token callbacks.

19: modifier receiverFallback() virtual {

20: /// @solidity memory-safe-assembly

21: assembly {

22: let s := shr(224, calldataload(0))

23: // 0x150b7a02: `onERC721Received(address,address,uint256,bytes)`.

24: // 0xf23a6e61: `onERC1155Received(address,address,uint256,uint256,bytes)`.

25: // 0xbc197c81: `onERC1155BatchReceived(address,address,uint256[],uint256[],bytes)`.

26: if or(eq(s, 0x150b7a02), or(eq(s, 0xf23a6e61), eq(s, 0xbc197c81))) {

27: mstore(0x20, s) // Store `msg.sig`.

28: return(0x3c, 0x20) // Return `msg.sig`.

29: }

30: }

31: _;

32: }

If the call matches any of these three selectors, the execution stops at the modifier level, preventing the fallback() function in the ModuleManager contract from being reached.

This prevents any extensibility of these callback functions using modules. Even if the user installs a module to handle any of these selectors, execution will be halted at the receiverFallback modifier.

Impact

This issue impairs the account's extensibility, preventing it from utilizing potential modules that respond to ERC721 and ERC1155 callbacks.

Tools Used

None.

Recommendations

The implementation should first check if there is any fallback handler defined for the given selector, allowing extensibility for all potential use cases. If there isn't a fallback handler installed for the given function call, then handle the potential default cases for the ERC721 and ERC1155 callbacks.

Updates

Lead Judging Commences

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

adriro Submitter

10 months ago

0xnevi Lead Judge

10 months ago

adriro Submitter

10 months ago

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.