Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Module uninstallation is vulnerable to denial of service attacks

adriro

Summary

Module uninstallation relies on calls to the module itself. If any of these calls fail, the operation reverts, potentially causing a denial of service and preventing the user from removing the module.

Vulnerability Details

Modules can be uninstalled by using the uninstallModule() function.

201: function uninstallModule(uint256 moduleTypeId, address module, bytes calldata deInitData) external payable onlyEntryPointOrSelf {

202: require(IModule(module).isModuleType(moduleTypeId), MismatchModuleTypeId(moduleTypeId));

203: require(_isModuleInstalled(moduleTypeId, module, deInitData), ModuleNotInstalled(moduleTypeId, module));

204:

205: emit ModuleUninstalled(moduleTypeId, module);

206:

207: if (moduleTypeId == MODULE_TYPE_VALIDATOR) {

208: _uninstallValidator(module, deInitData);

209: } else if (moduleTypeId == MODULE_TYPE_EXECUTOR) {

210: _uninstallExecutor(module, deInitData);

211: } else if (moduleTypeId == MODULE_TYPE_FALLBACK) {

212: _uninstallFallbackHandler(module, deInitData);

213: } else if (moduleTypeId == MODULE_TYPE_HOOK) {

214: _uninstallHook(module, deInitData);

215: }

216: }

There is a first call to the module in line 202 to check if the module actually declares itself as a type of the given moduleTypeId.

Then each of the uninstallation functions for each of the possible module types execute a call to the onUninstall() function of the module. This is for example the _uninstallHook() function:

261: function _uninstallHook(address hook, bytes calldata data) internal virtual {

262: _setHook(address(0));

263: IHook(hook).onUninstall(data);

264: }

Impact

A revert in any of the calls to the module could lead to a denial of service, preventing the owners of the wallet from effectively uninstalling the module.

Tools Used

None.

Recommendations

Consider adding an emergency variant or flag that just clears the module from the account's state.

Updates

Lead Judging Commences

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

adriro Submitter

11 months ago

0xnevi Lead Judge

10 months ago

adriro Submitter

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.