Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Deploying a new account with ETH through `BiconomyMetaFactory.deployWithFactory()` loses funds

MiloTruck

Summary

BiconomyMetaFactory.deployWithFactory() does not forward ETH when calling factories.

Vulnerability Details

When users call createAccount() in factories to deploy new accounts, they can send ETH for the ETH to be forwarded to the new account. For example, in NexusAccountFactory, msg.value is forwarded to the newly deployed account in createDeterministicERC1967():

NexusAccountFactory.sol#L55-L56

// Deploy the account using the deterministic address

(bool alreadyDeployed, address account) = LibClone.createDeterministicERC1967(msg.value, ACCOUNT_IMPLEMENTATION, actualSalt);

However, when calling deployWithFactory() in BiconomyMetaFactory, the function does not send msg.value along with the call:

BiconomyMetaFactory.sol#L70-L72

function deployWithFactory(address factory, bytes calldata factoryData) external payable returns (address payable createdAccount) {

require(factoryWhitelist[address(factory)], FactoryNotWhitelisted());

(bool success, bytes memory returnData) = factory.call(factoryData);

Therefore, if a user calls deployWithFactory() with ETH to deploy a new account and send ETH to it in a single call, the ETH sent will be stuck in BiconomyMetaFactory instead of being forwarded to the new account.

Impact

Users calling deployWithFactory() with ETH will lose the ETH sent instead of depositing it into their new account.

Recommendations

In deployWithFactory(), call the factory with msg.value:

- (bool success, bytes memory returnData) = factory.call(factoryData);

+ (bool success, bytes memory returnData) = factory.call{ value: msg.value }(factoryData);

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-cannot-msg.value-not-forwarded

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.