Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Not strictly compliant with ERC-7579

zhuying

Summary

Not strictly compliant with ERC-7579.

Vulnerability Details

ERC-7579:

The account MUST declare what modes are supported in supportsAccountMode (see below) and if a mode is requested that is not supported by the account, the account MUST revert.

function supportsModule(uint256 moduleTypeId) external view virtual returns (bool) {

if (moduleTypeId == MODULE_TYPE_VALIDATOR) return true;

else if (moduleTypeId == MODULE_TYPE_EXECUTOR) return true;

else if (moduleTypeId == MODULE_TYPE_FALLBACK) return true;

else if (moduleTypeId == MODULE_TYPE_HOOK) return true;

else if (moduleTypeId == MODULE_TYPE_MULTI) return true;

else return false;

}

In supportsModule function, we can see five module types is supported.

function _multiTypeInstall(

address module,

bytes calldata initData

)

internal virtual

{

(uint256[] calldata types, bytes[] calldata initDatas) = initData.parseMultiTypeInitData();

uint256 length = types.length;

if (initDatas.length != length) revert InvalidInput();

// iterate over all module types and install the module as a type accordingly

for (uint256 i; i < length; i++) {

uint256 theType = types[i];

if (theType == MODULE_TYPE_VALIDATOR) {

_installValidator(module, initDatas[i]);

}

else if (theType == MODULE_TYPE_EXECUTOR) {

_installExecutor(module, initDatas[i]);

}

else if (theType == MODULE_TYPE_FALLBACK) {

_installFallbackHandler(module, initDatas[i]);

}

else if (theType == MODULE_TYPE_HOOK) {

_installHook(module, initDatas[i]);

}

If the module type is MODULE_TYPE_MULTI, _multiTypeInstall will be called to install module. However in this function, if theType isn't MODULE_TYPE_VALIDATOR or MODULE_TYPE_EXECUTOR or MODULE_TYPE_FALLBACK or MODULE_TYPE_HOOK, it won't be reverted. This contradicts ERC-7579's requirements that if a mode is requested that is not supported by the account, the account MUST revert.

Impact

Not strictly compliant with ERC-7579.

Tools Used

manual

Recommendations

else if (theType == MODULE_TYPE_HOOK) {

_installHook(module, initDatas[i]);

+ } else {

+ revert InvalidModuleTypeId(theType);

}

Updates

Lead Judging Commences

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

zhuying Submitter

10 months ago

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.