Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incomplete Parameter Documentation

scoolj

Summary

The NatSpec comments indicate that the function takes two parameters (an address and a uint256), but the actual function definition takes four parameters (an address, a uint256, an array of addresses, and a uint8). This discrepancy can cause confusion about which parameters are expected and how the function operates. Additionally, the function does not use any of the parameters directly within its logic, only using the calldata to compute the salt.

Vulnerability Details

Description: The function K1ValidatorFactory::computeAccountAddress has four parameters in its definition, but the NatSpec comments only mention two parameters and do not provide names or descriptions for any of the parameters. Furthermore, none of these parameters are used within the function body, which can be misleading and confusing for developers.

Proof of Concept:

Initial Documentation:

/// @notice Computes the expected address of a Nexus contract using the factory's deterministic deployment algorithm.

/// @param - The address of the EOA owner of the Nexus.

/// @param - The index of the Nexus.

/// @return expectedAddress The expected address at which the Nexus contract will be deployed if the provided parameters are used.

Function Definition:

function computeAccountAddress(address, uint256, address[] calldata, uint8) external view returns (address payable expectedAddress) {

// Compute the actual salt for deterministic deployment

bytes32 actualSalt;

assembly {

let ptr := mload(0x40)

let calldataLength := sub(calldatasize(), 0x04)

mstore(0x40, add(ptr, calldataLength))

calldatacopy(ptr, 0x04, calldataLength)

actualSalt := keccak256(ptr, calldataLength)

}

// Predict the deterministic address using the LibClone library

expectedAddress = payable(LibClone.predictDeterministicAddressERC1967(ACCOUNT_IMPLEMENTATION, actualSalt, address(this)));

Unused Parameters Observation: The parameters address, uint256, address[] calldata, and uint8 are passed to the function, but none of them are used within the function body. Instead, the function relies on the calldata to compute the salt.

Impact

Developer Confusion: Developers might not fully understand how to use the function due to incomplete and unclear documentation, leading to potential misuse.

Code Maintenance Issues: Future maintainers may struggle to understand the purpose and use of the function and its parameters, making it harder to modify and maintain the code.
Misleading Information: Incomplete NatSpec comments provide misleading information about the function, which can lead to errors in implementation and usage.

Tools Used

Manual Review

Recommendations

Update the NatSpec comments to accurately reflect all parameters and their intended use. Provide names and descriptions for each parameter.

If the parameters are not needed, consider removing them from the function definition to avoid confusion.

Updates

Lead Judging Commences

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.