Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Calling fallback handlers with `staticcall` violates EIP-7579

MiloTruck

Summary

The fallback function in ModuleManager allows fallback handlers to be called with staticcall, which violates EIP-7579.

Vulnerability Details

The README states that Nexus is compliant with ERC-7579:

Nexus is a suite of contracts for Modular Smart Accounts compliant with ERC-7579 and ERC-4337

According to EIP-7579, fallback handlers must be invoked using call:

If the smart account has a fallback handler installed, it:

MUST implement authorization control

MUST use call to invoke the fallback handler

However, the fallback function in ModuleManager allows fallback handlers to be invoked using staticcall instead:

ModuleManager.sol#L78-L93

if (calltype == CALLTYPE_STATIC) {

assembly {

calldatacopy(0, 0, calldatasize())

// The msg.sender address is shifted to the left by 12 bytes to remove the padding

// Then the address without padding is stored right after the calldata

mstore(calldatasize(), shl(96, caller()))

if iszero(staticcall(gas(), handler, 0, add(calldatasize(), 20), 0, 0)) {

returndatacopy(0, 0, returndatasize())

revert(0, returndatasize())

}

returndatacopy(0, 0, returndatasize())

return(0, returndatasize())

}

This is a violation of EIP-7579. External integrations that rely on fallback handlers could call Nexus accounts assuming that a call would be executed, but a staticcall is performed instead. This could cause the call to the fallback handler to incorrectly revert if the function called performs state changes.

Impact

Allowing fallback handlers to be called with staticcall violates EIP-7579, breaking composability with external integrations.

Recommendations

Consider only allowing fallback handlers to be called with a regular call.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Assigned finding tags:

finding-ERC7579-fallback-staticcall

Invalid, although ERC7579 is violated, staticcall is a desired supported fallback call type as seen in the [documentation](https://github.com/bcnmy/nexus/wiki/Execution-Framework#key-concepts), and there will be no exploit possible

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.