Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Nexus accounts cannot be deployed with the same address across multiple chains.

MiloTruck

Summary

Nexus accounts cannot be deployed with the same address across multiple chains, breaking cross-chain functionality.

Vulnerability Details

Smart accounts simulate the functionality of EOAs by having the same address across multiple chains, which allows for cross-chain functionality such as bridges to be used.

In all factories, the salt for the account's CREATE2 deployment is taken as the keccak256 hash of the calldata that createAccount() is called with:

NexusAccountFactory.sol#L45-L56

// Compute the actual salt for deterministic deployment

bytes32 actualSalt;

assembly {

let ptr := mload(0x40)

let calldataLength := sub(calldatasize(), 0x04)

mstore(0x40, add(ptr, calldataLength))

calldatacopy(ptr, 0x04, calldataLength)

actualSalt := keccak256(ptr, calldataLength)

}

// Deploy the account using the deterministic address

(bool alreadyDeployed, address account) = LibClone.createDeterministicERC1967(msg.value, ACCOUNT_IMPLEMENTATION, actualSalt);

However, when calling createAccount() in BiconomyMetaFactory, K1ValidatorFactory and RegistryFactory, the calldata contains parameters that might not be the same across chains.

For example, the initData parameter of RegistryFactory.createAccount() contains the addresses of modules, the registry and attesters:

RegistryFactory.sol#L86-L95

// Decode the call data to extract the parameters passed to initNexus

(

BootstrapConfig[] memory validators,

BootstrapConfig[] memory executors,

BootstrapConfig memory hook,

BootstrapConfig[] memory fallbacks,

) = abi.decode(innerData, (BootstrapConfig[], BootstrapConfig[], BootstrapConfig, BootstrapConfig[], address, address[], uint8));

It is extremely unlikely that these modules will have the same address across multiple chains, especially since modules can be deployed and used by anyone, not just Biconomy.

As such, due to these parameters, the calldata passed to createAccount() will be different across multiple chains, making it impossible for an owner to have the same smart account address across chains.

Impact

Owners cannot have the same smart account address across multiple chains, breaking cross-chain functionality for Nexus accounts.

Recommendations

This is admittedly not a trivial problem to fix.

Updates

Lead Judging Commences

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.