Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Insufficient Validation in Hook Module Uninstallation

mujahideth

Summary

The _uninstallHook function fails to verify if the hook being uninstalled is the currently active hook. This oversight allows for the uninstallation of any hook address provided, potentially leading to security risks and inconsistent contract states.

Vulnerability Details

The original _uninstallHook function lacks a crucial check to verify if the hook being uninstalled is the currently installed hook. This allows for the uninstallation of any hook, regardless of its current installation status.

function _uninstallHook(address hook, bytes calldata data) internal virtual {
_setHook(address(0));
IHook(hook).onUninstall(data);
}

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L261

Impact

Unintended removal of active hooks.

Tools Used

manual review

Recommendations

Implement a check to ensure the hook being uninstalled matches the currently installed.

function _uninstallHook(address hook, bytes calldata data) internal virtual {
address currentHook = _getHook();
require(hook == currentHook, "Cannot uninstall a hook that is not currently installed");
_setHook(address(0));
IHook(hook).onUninstall(data);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.