Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Check for Executor Removal Can Cause DOS

sparrow

Summary

In Nexus.sol, there's a missing check for executor removal, which potentially leads to a Denial of Service (DoS) scenario.

Vulnerability Details

In Nexus.sol, there is a function _uninstallExecutor that removes executors from the protocol without verifying if at least one executor remains installed. This contrasts with _uninstallValidator, which includes a check to prevent the removal of the last validator. Here’s the vulnerable code snippet:

function _uninstallExecutor(address executor, bytes calldata data) internal virtual {
(address prev, bytes memory disableModuleData) = abi.decode(data, (address, bytes));
_getAccountStorage().executors.pop(prev, executor);
IExecutor(executor).onUninstall(disableModuleData);
}

Impact

This vulnerability could potentially lead to a situation where all executors are removed from the protocol. As a result, functionalities like this within Nexus.sol that depend on executors would become unavailable, potentially disrupting the protocol's operation and leading to a denial of service.

Tools Used

Manual Code Review

Recommendations

Modify _uninstallExecutor to include a check ensuring that at least one executor remains installed before allowing any to be uninstalled:

require(!(prev == address(0x01) && executors.getNext(executor) == address(0x01)), "CannotRemoveLastExecutor");
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

finding-no-executor-module-left

Invalid, known issue: > Validator management > - A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.