Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Potential vulnerability in account creation due to deterministic deployment without sender-specific salt

rhaydden

Summary

The RegistryFactory.sol contract uses a deterministic deployment method for creating new accounts, but the salt calculation doesn't include the msg.sender. This could allow an attacker to front-run account creation in the event of a blockchain re-org, leading to account hijacking.

Vulnerability Details

The createAccount function in RegistryFactory.sol uses LibClone.createDeterministicERC1967 to deploy new accounts. The salt for this deployment is calculated using only the input parameters (initData and salt) without incorporating the msg.sender: https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/RegistryFactory.sol#L112-L120

bytes32 actualSalt;

assembly {

let ptr := mload(0x40)

let calldataLength := sub(calldatasize(), 0x04)

mstore(0x40, add(ptr, calldataLength))

calldatacopy(ptr, 0x04, calldataLength)

actualSalt := keccak256(ptr, calldataLength)

}

There are 2 issues here:

If two different users provide the same initData and salt, they could potentially create accounts at the same address.
The contract doesn't check if the account has already been initialized before calling initializeAccount, which could lead to front-running.

In the event of a blockchain reorganization, an attacker could observe a victim's transaction and quickly submit a transaction with the same parameters, potentially gaining control of the account the victim intended to create.

Impact

An attacker could potentially hijack account creation, gaining control over accounts intended for other users.

Tools Used

Manual review

Recommendations

Include msg.sender in the salt calculation to ensure uniqueness per user.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

finding-createAccount-frontrun-salt

Invalid if a new Nexus proxy is already deployed, [`createDeterministicERC1967` will not revert](https://github.com/Vectorized/solady/blob/main/src/utils/LibClone.sol#L745), but simply return, so there is no DoS here. Users should carefully select a unique salt and initData when creating a new Nexus Proxy instance as noted in documentation [here](https://github.com/bcnmy/nexus/wiki/NexusAccountFactory#createaccount)

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.