`validateUserOp` is not compliant with ERC-4337
Summary
validateUserOp is not compliant with ERC-4337.
Vulnerability Details
If the account does not support signature aggregation, it MUST validate the signature is a valid signature of the userOpHash, and SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch. Any other error MUST revert.
If the Module Enable Mode is enabled and the validator isn't installed, validateUserOp function will return VALIDATION_FAILED and won't revert. This contradicts ERC-4337 requirements that any other error MUST revert.
Impact
validateUserOp is not compliant with ERC-4337.
Tools Used
manual
Recommendations
Lead Judging Commences
finding-validateUserOp-revert-return-validator-failed
The argument for medium severity here is the potential inconsistencies with external integrations when validations does not revert during execution called from the entrypoint contract. Similar to issue #200, the impact is arguable, so would leave open for arguments during appeals period.
Appeal created
finding-validateUserOp-revert-return-validator-failed
The argument for medium severity here is the potential inconsistencies with external integrations when validations does not revert during execution called from the entrypoint contract. Similar to issue #200, the impact is arguable, so would leave open for arguments during appeals period.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.