Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Nexus Smart Accounts is not compliant with ERC-7579

zukanopro

Vulnerability Details

In the Nexuscontract, in the fallback function, if calltype is static, it will call to handlercontract by using staticcall:

fallback() external payable override(Receiver) receiverFallback {

FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];

address handler = $fallbackHandler.handler;

CallType calltype = $fallbackHandler.calltype;

require(handler != address(0), MissingFallbackHandler(msg.sig));

if (calltype == CALLTYPE_STATIC) {

assembly {

calldatacopy(0, 0, calldatasize())

// The msg.sender address is shifted to the left by 12 bytes to remove the padding

// Then the address without padding is stored right after the calldata

mstore(calldatasize(), shl(96, caller()))

if iszero(staticcall(gas(), handler, 0, add(calldatasize(), 20), 0, 0)) { // <---

returndatacopy(0, 0, returndatasize())

revert(0, returndatasize())

}

returndatacopy(0, 0, returndatasize())

return(0, returndatasize())

}

. . . . . .

}

But in EIP-7579 link, If the smart account has a fallback handler installed, it MUST use call to invoke the fallback handler. This will lead to unexpected result when using staticcall instead of call

Impact

Contract are not compliant with ERC-7579, and will lead to unexpected result because of using staticcall instead of call.

Tools Used

Manual review

Recommendations

Using call instead of staticcall

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Other

Assigned finding tags:

finding-ERC7579-fallback-staticcall

Invalid, although ERC7579 is violated, staticcall is a desired supported fallback call type as seen in the [documentation](https://github.com/bcnmy/nexus/wiki/Execution-Framework#key-concepts), and there will be no exploit possible

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.