Lack of Authentication on onInstall and onUninstall in K1Validator.sol
Summary
The K1Validator contract's onInstall and onUninstall functions lack proper authentication mechanisms. This allows any caller to install or uninstall the module, potentially compromising the integrity and security of the smart account
Vulnerability Details
These functions can be called by any address, potentially leading to unauthorized modifications. The example scenario is that An attacker calls the onInstall function, providing their own address as the owner, thereby gaining control over the smart account. Alternatively, an attacker calls the onUninstall function, removing the legitimate owner and effectively disabling the module, which can lead to denial of service or loss of control for the rightful owner.
Impact
Attackers can install the module on any smart account without restriction. This can lead to the registration of malicious owners or invalid configurations.
Attackers can uninstall the module from any smart account, removing the legitimate owner's access and disrupting the intended functionality of the smart account.
Without proper authentication, the ownership and control mechanisms of smart accounts can be easily bypassed, leading to potential unauthorized operations.
Allowing unauthorized installations and uninstallations increases the attack surface, making it easier for attackers to exploit other potential vulnerabilities within the smart account ecosystem.\
Tools Used
Manual Review
Recommendations
-
Add access control to ensure only authorized addresses can call these functions, such as the owner or a designated admin.
modifier onlyOwner() {require(smartAccountOwners[msg.sender] != address(0), "Not authorized");_;}function onInstall(bytes calldata data) external onlyOwner {require(data.length != 0, NoOwnerProvided());require(!_isInitialized(msg.sender), ModuleAlreadyInitialized());address newOwner = address(bytes20(data));require(!_isContract(newOwner), NewOwnerIsContract());smartAccountOwners[msg.sender] = newOwner;}/// @notice Called upon module uninstallation to remove the owner of the smart accountfunction onUninstall(bytes calldata) external onlyOwner {delete smartAccountOwners[msg.sender];} -
Ensure that only authorized entities (e.g., the smart account itself or a privileged contract) can call the
onInstallandonUninstallfunctions. This can be achieved using access control mechanisms likeonlyOwneror similar modifiers. -
Before allowing the installation or uninstallation of the module, verify that the caller is the legitimate owner of the smart account. This prevents unauthorized users from modifying the module configuration.
-
Enhance the initialization checks to ensure that the module cannot be reinstalled or uninstalled by unauthorized parties. This can include additional state variables or flags to track the module's installation status securely.
-
Emit events for
onInstallandonUninstallactions to maintain a transparent log of these critical operations. This can help in monitoring and auditing for any unauthorized attempts or suspicious activities
Lead Judging Commences
finding-K1Validator-access-control-issues
- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.