Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

BiconomyMetaFactory.sol#deployWithFactory() - `factoryWhitelist` can easily be bypassed

EgisSecurity

Vulnerability Details

BiconomyMetaFactory is responsible for interfacing with the different other factories that implement createAccount. The contract also implements a whitelist of factory addresses. If the factory isn't on the list, deployWithFactory wil revert.

function deployWithFactory(address factory, bytes calldata factoryData) external payable returns (address payable createdAccount) {
require(factoryWhitelist[address(factory)], FactoryNotWhitelisted());
(bool success, bytes memory returnData) = factory.call(factoryData);
// Check if the call was successful
require(success, CallToDeployWithFactoryFailed());
// Decode the returned address
assembly {
createdAccount := mload(add(returnData, 0x20))
}
}

The problem is that K1ValidatorFactory, NexusAccountFactory and RegistryFactory have no extra access control on their createAccount functions. This makes the role of the whitelist in BiconomyMetaFactory pointless, as there is no other reason to use deployWithFactory except the whitelisting logic.

Impact

Bypassing intended check logic

Tools Used

Manual Review

Recommendations

Add access control to all createAccount functions in all the factories.

Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.