Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Bit Manipulation in the Decode Functions

rhaydden

Summary

decode and decodeBasic functions use incorrect bit manipulation operations to extract the different components of the ExecutionMode. The current implementation uses left shifts (shl) instead of right shifts (shr), which will result in incorrect isolation of each component.

Vulnerability Details

The decode function iis intended to extract the CallType, ExecType, ModeSelector, and ModePayload from the ExecutionMode. Albeit, the way this is implemented uses left shifts (shl) to try to isolate these components, which is not correct. The relevant bits are moved out of the 256-bit word instead of being isolated.

Take a look at the decode function: https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/lib/ModeLib.sol#L87-L96

function decode(

ExecutionMode mode

) internal pure returns (CallType _calltype, ExecType _execType, ModeSelector _modeSelector, ModePayload _modePayload) {

assembly {

_calltype := mode

_execType := shl(8, mode)

_modeSelector := shl(48, mode)

_modePayload := shl(80, mode)

}

_calltype is assigned the entire mode value instead of just the most significant byte. Also _execType, _modeSelector, and _modePayload are shifted left, moving the relevant bits out of the 256-bit word instead of isolating them.

The decodeBasic function suffers from the same issue.

These decode functions dont correctly extract the components according to the intended bit layout in the NATSPEC:

|--------------------------------------------------------------------|

|--------------------------------------------------------------------|

|--------------------------------------------------------------------|

Impact

The incorrect bit manipulation results in the decode and decodeBasic functions not correctly extracting the components of the ExecutionMode as the extracted values will not represent the intended CallType, ExecType, ModeSelector, and ModePayload.

Tools Used

Manual review

Recommendations

Modify the decode function to use right shifts (shr) and appropriate masking. Something similar to this:

function decode(

ExecutionMode mode

) internal pure returns (CallType _calltype, ExecType _execType, ModeSelector _modeSelector, ModePayload _modePayload) {

assembly {

- _calltype := mode

- _execType := shl(8, mode)

- _modeSelector := shl(48, mode)

- _modePayload := shl(80, mode)

+ _calltype := shr(248, mode)

+ _execType := shr(240, mode)

+ _modeSelector := shr(208, mode)

+ _modePayload := and(mode, 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFF)

}

Similarly, update the decodeBasic function:

function decodeBasic(ExecutionMode mode) internal pure returns (CallType _calltype, ExecType _execType) {

assembly {

- _calltype := mode

- _execType := shl(8, mode)

+ _calltype := shr(248, mode)

+ _execType := shr(240, mode)

}

Updates

Lead Judging Commences

0xnevi Lead Judge

12 months ago

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.