Modules could maliciously revert on `onUninstall` to stop the account from uninstalling a module
Summary
Modules could maliciously revert on onUninstall to stop the account from uninstalling a module.
Vulnerability Details
This is an expressed concern in EIP-7595 security considerations. However, there is no fix to it in the current implementation (attestation registries seems to not handle it all)
The
onInstallandonUninstallfunctions on modules may lead to unexpected callbacks (e.g. reentrancy). Account implementations should consider this by implementing adequate protection routines. Furthermore, modules could maliciously revert on onUninstall to stop the account from uninstalling a module and removing it from the account.
Impact
Accounts become "stuck" with malicious modules. The possibilities are endless.
Proof of Concept
Modify
MockHook::onUninstallto include a revert:
Run
forge test --mt test_UninstallHookModule_Success, here is the expected output:
Tools Used
Foundry
Lead Judging Commences
finding-onuninstall-revert
Invalid, - hook logic is OOS - all other `onUninstall()` functions do not revert, so the hawk here is essentially introducing code logic that doesn't exist. - Known issue: > The security of Nexus smart accounts relies heavily on the modules used. Only secure and audited modules should be installed to maintain the overall security of the system.
Appeal created
finding-onuninstall-revert
Invalid, - hook logic is OOS - all other `onUninstall()` functions do not revert, so the hawk here is essentially introducing code logic that doesn't exist. - Known issue: > The security of Nexus smart accounts relies heavily on the modules used. Only secure and audited modules should be installed to maintain the overall security of the system.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.