Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Fallback handlers with clashing function signatures cannot be used

MiloTruck

Summary

Functions in fallback handlers with the same signature as functions in the Nexus implementation or onERC721Received(), onERC1155Received() and onERC1155BatchReceived() can never be used.

Vulnerability Details

In ModuleManager.sol, the fallback function calls the receiverFallback modifier:

ModuleManager.sol#L72

fallback() external payable override(Receiver) receiverFallback {

The receiverFallback modifier checks if the first 4 bytes (ie. msg.sig) of the calldata is equal to the function signature of onERC721Received(), onERC1155Received() and onERC1155BatchReceived(), and simply returns if so:

Receiver.sol#L19-L32

modifier receiverFallback() virtual {
/// @solidity memory-safe-assembly
assembly {
let s := shr(224, calldataload(0))
// 0x150b7a02: `onERC721Received(address,address,uint256,bytes)`.
// 0xf23a6e61: `onERC1155Received(address,address,uint256,uint256,bytes)`.
// 0xbc197c81: `onERC1155BatchReceived(address,address,uint256[],uint256[],bytes)`.
if or(eq(s, 0x150b7a02), or(eq(s, 0xf23a6e61), eq(s, 0xbc197c81))) {
mstore(0x20, s) // Store `msg.sig`.
return(0x3c, 0x20) // Return `msg.sig`.
}
}
_;
}

If a Nexus account is called with any of these function signatures, it will simply return.

Therefore, if a fallback handler module has a function that happens to have the same signature as those listed above, it cannot be used as that function cannot be called through the fallback function.

Additionally, functions with signatures that clashes with functions in the Nexus implementation cannot be used as well.

Impact

Fallback handlers that have functions with clashing signatures cannot be used by Nexus accounts.

Recommendations

Consider implementing the functionality of receiverFallback as a fallback handler instead, which gives Nexus account owners the option to opt-out of such functionality.

Additionally, document that functions with signatures that clash with functions in the Nexus implementation cannot be called through the fallback function.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-fallback-handler-selector-clash

This is a very clever exploit, however, would be dependent on - The user installing the malicious fallback handler. - Additionally, it is highly contraint because it would require the input parameters (`to` and `amount`) of `withdrawDepositTo()` that is also considered when determining the function signature to coincide with the same input parameters of the malicious functionality of the fallback handler Issues #185 and #190 are pointing to similar function clashing root causes so duplicating, but does lack a similar detailed explanation of exploit path.

Appeal created

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

finding-fallback-handler-selector-clash

This is a very clever exploit, however, would be dependent on - The user installing the malicious fallback handler. - Additionally, it is highly contraint because it would require the input parameters (`to` and `amount`) of `withdrawDepositTo()` that is also considered when determining the function signature to coincide with the same input parameters of the malicious functionality of the fallback handler Issues #185 and #190 are pointing to similar function clashing root causes so duplicating, but does lack a similar detailed explanation of exploit path.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.