Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Exploit via Batch Execution to Bypass Access Control

jo013

Summary

A malicious user can exploit the batch execution mode in the execute function to bypass access control and perform unauthorized actions, such as upgrading the contract to a malicious implementation.

Vulnerability Details

Function: execute
Location: Nexus contract
Issue: The execute function processes batch transactions without sufficiently isolating or validating each transaction's intent. A malicious user can include a call to upgradeToAndCall within a batch, bypassing the onlyEntryPointOrSelf modifier and changing the contract's implementation to a malicious contract.

Scenario:

Access via Entry Point: The malicious user gains access through the entry point.
Craft Malicious Operation: The user operation includes a batch of transactions, one of which calls upgradeToAndCall.
Submit and Validate: The entry point validates and submits the operation.
Batch Execution: The execute function processes the batch, including the unauthorized call to upgradeToAndCall.
Implementation Change: The contract's implementation is changed to a malicious one.
Control: The malicious user gains control over the contract via the new implementation.
Unauthorized Actions: The malicious implementation can perform unauthorized actions, such as transferring funds, modifying state, or installing further malicious modules.

Impact

Security Breach: The malicious implementation can perform unauthorized actions, such as draining funds, modifying state, or installing further malicious modules.
Loss of Trust: Users may lose trust in the contract due to potential security vulnerabilities.
Compliance Issues: Violates the intended security model and access control mechanisms.

Tools Used

Manual Code Review: Analyzed the execute function to identify potential bypasses of access control.
Scenario Simulation: Simulated the batch execution scenario to confirm the exploit.

Recommendations

Isolate Critical Functions:

Ensure that critical functions like upgradeToAndCall cannot be called within a batch execution context.
Implement additional checks to prevent unauthorized calls to critical functions.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.