Summary

Within the BiconomyMetaFactory.sol contract, there is a potentially unsafe external call on line 72. This call allows a caller to provide both an arbitrary address and raw call data, which can lead to security vulnerabilities if not properly controlled.

Vulnerability Details

The following line in the BiconomyMetaFactory.sol contract allows for an unsafe external call:

• File: contracts/factory/BiconomyMetaFactory.sol

• Line: 72

This call enables a user to specify any address to call and provide arbitrary data, which can be exploited for malicious purposes if the target address or data is not adequately validated or restricted.

Impact

Allowing external calls to arbitrary addresses with arbitrary data can lead to several security issues, including:

• Unauthorized Access: Malicious users could call sensitive functions on other contracts, leading to unauthorized access and potential loss of funds.

• Reentrancy Attacks: External calls can be used to perform reentrancy attacks, exploiting the contract’s state before it gets updated.

• Denial of Service: Malicious calls can lead to denial-of-service (DoS) conditions by consuming all gas or locking contract state.

Tools Used

Manual code review

Recommendations

Restrict External Calls:

• Limit the ability to initiate external calls to a predefined set of trusted addresses. This can be achieved by maintaining a whitelist of allowed addresses and verifying the target address against this list before executing the call.
  Validate Call Data:

• Implement strict validation of the call data to ensure that only valid and expected data is processed. This helps in preventing malicious data from being executed.
  Document the Behavior:

• If restricting external calls to specific addresses is not feasible due to business logic requirements, heavily document the need for this behavior. Provide a clear explanation in the documentation of why abuse is unlikely to occur and what measures are in place to mitigate potential risks.