Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect Module Whitelisting Check

mujahideth

Summary

The isModuleAllowed function fails to properly validate module whitelisting, always returning true. This critical flaw undermines the entire module validation process, exposing the system to potential attacks and unauthorized access.

Vulnerability Details

The isModuleAllowed function in the smart contract always returns true, regardless of the actual whitelisting status of the module. This bypasses the intended security check.

function isModuleAllowed(address module, uint256 moduleType) public view returns (bool) {REGISTRY.check(module, moduleType, attesters, threshold);return true; // Always returns true}

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/RegistryFactory.sol#L151

Impact

This vulnerability allows any module, including malicious ones, to pass the whitelisting check. Consequently, unauthorized modules can be added to the system, potentially compromising its security and functionality.

Tools Used

Manual Review

Recommendations

Modify the isModuleAllowed function to return the actual result of the REGISTRY.check call:

function isModuleAllowed(address module, uint256 moduleType) public view returns (bool) {return REGISTRY.check(module, moduleType, attesters, threshold);}
Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.