Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing `withHook` Modifier in `executeUserOp` Allows Bypassing Hook Checks

benrai

Lines of code

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/Nexus.sol#L158

Impact

The absence of the withHook modifier in the executeUserOp function allows transactions executed by the EntryPoint to bypass critical checks integrated in the installed hookModule. This renders the check in the hooks useless and can lead to unintended states of the underling smart account.

Proof of Concept

The Nexus contract is designed to manage modular smart accounts compliant with ERC-7579 and ERC-4337 standards. It includes various functions for executing transactions, such as execute, executeFromExecutor, and executeUserOp. The execute and executeFromExecutor functions are protected by the withHook modifier, which ensures that additional checks specified in the hookModul are applied before and after a transaction is executed.

However, the executeUserOp function lacks this withHook modifier. This function can only be called by the end point and is responsible for executing user operations. The absence of the withHook modifier means that any transaction executed through executeUserOp can bypass the hook checks.

Example

The hookModule installed for the the smart Account ensure that the account always has at least 100 USDT in it.
User: A user initiates a transaction to send 50 USDT to another account but the current USDT balance of the smart account is only 120 USDT. The transaction is supposed to be subject to hook checks and should therefore fail since it would lower the USDT account balance below 100.
EntryPoint: The transaction is processed through the EntryPoint, which calls the executeUserOp function.
Smart Account: The executeUserOp function executes the transaction without invoking the withHook modifier and thereby bypasses the hook checks, allowing the transaction to proceed even if it violates the conditions enforced by the hooks.

Recommended Mitigation Steps

To ensure that all transactions are subject to the installed hook checks, the withHook modifier should be added to the executeUserOp function. This will align it with the execute and executeFromExecutor functions, ensuring consistent security measures across all transaction execution paths.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

finding-executeUserOP-no-hook-check-withhook

Invalid, [hooks are optional for the protocol](https://eips.ethereum.org/EIPS/eip-7579#hooks), and is only used to check for module installation, so if the eventual user action is to install a module via invoking `executeUserOp` using the entry point, the appropriate hook checks will still be invoked.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.