Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Registry is never called when setting up modules using the `Bootstrap` contract

MiloTruck

Summary

In the Bootstrap contract, the registry is never called as modules are installed before calling _configureRegistry().

Vulnerability Details

According to EIP-7484, the module registry must be queried at least once before or during the transaction in which a module is installed:

A Smart Account MUST implement the following Adapter functionality either natively in the account or as a module. This Adapter functionality MUST ensure that:

The Registry is queried about module A at least once before or during the transaction in which A is called for the first time.

However, when setting up modules and the registry for smart accounts through the Bootstrap contract, the registry is only configured after modules are installed.

Using initNexusWithSingleValidator() as example, _configureRegistry() is only called after the validator has been installed in _installValidator():

RegistryBootstrap.sol#L38-L47

function initNexusWithSingleValidator(

IModule validator,

bytes calldata data,

IERC7484 registry,

address[] calldata attesters,

uint8 threshold

) external {

_installValidator(address(validator), data);

_configureRegistry(registry, attesters, threshold);

}

As a result, when modules are installed through the Bootstrap contract, the registry is never called as registry in RegistryAdapter has not been set when the withHook modifier (which calls _checkRegistry) is reached:

RegistryAdapter.sol#L36-L42

function _checkRegistry(address module, uint256 moduleType) internal view {

IERC7484 moduleRegistry = registry;

if (address(moduleRegistry) != address(0)) {

// this will revert if attestations / threshold are not met

moduleRegistry.check(module, moduleType);

}

Essentially, the order of operations in initNexusWithSingleValidator() is:

Call _installValidator():
- In withHook, registry == address(0) so the registry is not called.
- Install the validator, which calls validator.onInstall().
Call _configureRegistry(), which sets registry to the registry address.

Therefore, since the registry is never queried although onInstall() is called on the modules being installed, the function violates the EIP-7484 spec.

Note that this applies to initNexus() and initNexusScoped() as well.

Impact

When setting up modules through functions in Bootstrap, it is possible for modules not registered in the registry to be installed, which is a bypass of access control.

Recommendations

For all functions in the Bootstrap contract, consider calling _configureRegistry() before installing modules.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-should-registry-configure-before-module-install

Valid high, since a security feature is compromised, I believe this warrants high severity.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.