Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

installModule Function Misses Compatibility with ERC-7579

jo013

Summary

The installModule function in the Nexus contract does not check if a module is already installed before attempting to install it. This violates the ERC-7579 specification, which mandates that the function must revert if the module is already installed or the initialization fails.

Vulnerability Details

Function: installModule
Location: Nexus contract
Issue: The function does not verify if the module is already installed before proceeding with the installation. This can lead to multiple installations of the same module, causing potential conflicts and unexpected behavior.

ERC-7579

/**

* MUST revert if the module is already installed or the initialization on the module failed

function installModule(uint256 moduleTypeId, address module, bytes calldata initData) external;

Non-Compliance with ERC-7579

Specification Violation

The ERC-7579 standard requires that the installModule function must revert if the module is already installed or if the initialization on the module fails. The current implementation does not adhere to this requirement, making the contract non-compliant with the standard.

function installModule(uint256 moduleTypeId, address module, bytes calldata initData) external payable onlyEntryPointOrSelf {

_installModule(moduleTypeId, module, initData);

emit ModuleInstalled(moduleTypeId, module);

}

Interoperability Issues

Non-compliance with ERC-7579 can reduce the contract's interoperability with other systems and tools that expect adherence to this standard.

Reliability Concerns

Failing to follow the specification can lead to unexpected behavior and reduce the reliability of the contract.

Impact

Conflicts: Reinstalling the same module without proper checks can cause conflicts in the contract's state and logic.
Specification Violation: Failing to adhere to the ERC-7579 specification can result in non-compliance, reducing the contract's interoperability and reliability.
Security Risks: Potential security vulnerabilities due to unexpected behavior from multiple installations of the same module.

Tools Used

Manual Code Review
ERC-7579 Documentation

Recommendations

Add Installation Check

Implement a check to verify if the module is already installed before proceeding with the installation.
Revert the transaction if the module is found to be already installed.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

finding-ERC7579-does-not-revert-when-module-installed

Invalid per comments [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L185-L186), with checks implemented [in this contract here](https://github.com/rhinestonewtf/sentinellist/blob/main/src/SentinelList.sol)

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.