Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Calldata length is not validated in `fallback()`

adriro

Summary

When calldata is less than 4 bytes long, calls may be incorrectly routed to an unintended fallback handler.

Vulnerability Details

To determine the matching fallback handler, the fallback() function extracts the first 4 bytes of the calldata and looks up the fallback handler by its selector.

72: fallback() external payable override(Receiver) receiverFallback {
73: FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];
74: address handler = $fallbackHandler.handler;
75: CallType calltype = $fallbackHandler.calltype;
76: require(handler != address(0), MissingFallbackHandler(msg.sig));

The implementation uses msg.sig, which returns the first 4 bytes of the calldata, according to Solidity's documentation.

msg.sig (bytes4): first four bytes of the calldata (i.e. function identifier)

However, the function doesn't validate that the calldata is at least 4 bytes long. When calldata is shorter than 4 bytes, msg.sig wil pad the missing bytes with zeros.

Impact

Calls may be incorrectly routed to an unintended fallback handler when calldata is shorter than 4 bytes.

Tools Used

None.

Recommendations

Ensure that the calldata length is at least 4 bytes.

fallback() external payable override(Receiver) receiverFallback {
+ require(msg.data.length >= 4);
FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];
Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.