Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

hook, executor, validator and fallbackHandler cant be uninstalled when `onUninstall()` function revert/non exist.

zukanopro

Summary

When uninstall hook, executor, fallbackHandler and validator, function onUninstall() in that contract will be called. Uninstallation will be revert if that function revert/non exist lead to uninstall unsuccesful.

Vulnerability Details

When uninstall, function onUninstall()will be called:

_uninstallValidator() function:

function _uninstallValidator(address validator, bytes calldata data) internal virtual {

SentinelListLib.SentinelList storage validators = _getAccountStorage().validators;

(address prev, bytes memory disableModuleData) = abi.decode(data, (address, bytes));

// Check if the account has at least one validator installed before proceeding

// Having at least one validator is a requirement for the account to function properly

require(!(prev == address(0x01) && validators.getNext(validator) == address(0x01)), CannotRemoveLastValidator());

validators.pop(prev, validator);

IValidator(validator).onUninstall(disableModuleData); // <---

}

_uninstallExecutor()function:

function _uninstallExecutor(address executor, bytes calldata data) internal virtual {

(address prev, bytes memory disableModuleData) = abi.decode(data, (address, bytes));

_getAccountStorage().executors.pop(prev, executor);

IExecutor(executor).onUninstall(disableModuleData); // <---

}

_uninstallHook()function:

function _uninstallHook(address hook, bytes calldata data) internal virtual {

_setHook(address(0));

IHook(hook).onUninstall(data); // <---

}

_uninstallFallbackHandler()function:

function _uninstallFallbackHandler(address fallbackHandler, bytes calldata data) internal virtual {

_getAccountStorage().fallbacks[bytes4(data[0:4])] = FallbackHandler(address(0), CallType.wrap(0x00));

IFallback(fallbackHandler).onUninstall(data[4:]); // <---

}

But in solidity, if a function is not exist, it will revert; or function is reverted for some reason, it will lead to hook/validator/executor/fallbackHandler unable to be uninstalled, which lead to unintended result.

Impact

Unable to uninstall.

Tools Used

Manual review.

Recommendations

Warp them in try - catch to avoid revert.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

finding-onuninstall-revert

Invalid, - hook logic is OOS - all other `onUninstall()` functions do not revert, so the hawk here is essentially introducing code logic that doesn't exist. - Known issue: > The security of Nexus smart accounts relies heavily on the modules used. Only secure and audited modules should be installed to maintain the overall security of the system.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.