Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

createAccount can be frontran

mxusee

Description

inside K1ValidatorFactory.sol a Nexus account can be created by calling createAccount, inside this function the actualSalt is computed and after some configurations the account is initialized if it was not already deployed

function createAccount(
address eoaOwner,
uint256 index,
address[] calldata attesters,
uint8 threshold
) external payable returns (address payable) {
// Compute the actual salt for deterministic deployment
-> bytes32 actualSalt;
assembly {
let ptr := mload(0x40)
let calldataLength := sub(calldatasize(), 0x04)
mstore(0x40, add(ptr, calldataLength))
calldatacopy(ptr, 0x04, calldataLength)
actualSalt := keccak256(ptr, calldataLength)
}
// Deploy the Nexus contract using the computed salt
(bool alreadyDeployed, address account) = LibClone.createDeterministicERC1967(msg.value, ACCOUNT_IMPLEMENTATION, actualSalt);
// Create the validator configuration using the Bootstrap library
BootstrapConfig memory validator = BootstrapLib.createSingleConfig(K1_VALIDATOR, abi.encodePacked(eoaOwner));
bytes memory initData = BOOTSTRAPPER.getInitNexusWithSingleValidatorCalldata(validator, REGISTRY, attesters, threshold);
// Initialize the account if it was not already deployed
-> if (!alreadyDeployed) {
INexus(account).initializeAccount(initData);
emit AccountCreated(account, eoaOwner, index);
}
return payable(account);
}

The problem however, is that createAccount can be frontran due to a missing unique parameter such as msg.sender. Because of this paramaters passed into the function can be frontran by a malicious user and ultimately create an account before the honest user can do so.

Ultimately, the honest user will be unable to create the account due to the if statement:

if (!alreadyDeployed)

Recommendation

add msg.sender somewhere inside the function so that the creation of an account can not be copied and frontran

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

finding-createAccount-frontrun-salt

Invalid if a new Nexus proxy is already deployed, [`createDeterministicERC1967` will not revert](https://github.com/Vectorized/solady/blob/main/src/utils/LibClone.sol#L745), but simply return, so there is no DoS here. Users should carefully select a unique salt and initData when creating a new Nexus Proxy instance as noted in documentation [here](https://github.com/bcnmy/nexus/wiki/NexusAccountFactory#createaccount)

Appeal created

mxusee Submitter
11 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

finding-createAccount-frontrun-salt

Invalid if a new Nexus proxy is already deployed, [`createDeterministicERC1967` will not revert](https://github.com/Vectorized/solady/blob/main/src/utils/LibClone.sol#L745), but simply return, so there is no DoS here. Users should carefully select a unique salt and initData when creating a new Nexus Proxy instance as noted in documentation [here](https://github.com/bcnmy/nexus/wiki/NexusAccountFactory#createaccount)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.