Summary

The createAccount method in Factory calls the createDeterministically method from LibClone that uses the create2 opcode. The create2 method also has a salt parameter that is passed to the createDeterministicallyERC1967 call. A malicious actor can front-run every call to create2 and use the same salt argument. This will result in reverts of all user transactions, as there is already a Nexus account at the address that create2 tries to deploy to.

Vulnerability Details

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/K1ValidatorFactory.sol#L93

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/NexusAccountFactory.sol#L56

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/RegistryFactory.sol#L123

The address collision an attacker will need to find are:

• One undeployed Nexus address (1).

• Arbitrary attacker-controlled wallet contract (2).

Both sets of addresses can be brute-force searched because:

• As shown above, salt is a user-supplied parameter. By brute-forcing many salt values, we have obtained many different (undeployed) wallet accounts for (1). The user can know the address of the Nexus accounts before deploying it, since as seen in the code comments, the result is deterministic.

• (2) can be searched the same way. The contract just has to be deployed using CREATE2, and the salt is in the attacker's control by definition.

An attacker can find any single address collision between (1) and (2) with high probability of success using the following meet-in-the-middle technique, a classic brute-force-based attack in cryptography:

• Brute-force a sufficient number of values of salt (2^80), pre-compute the resulting account addresses, and efficiently store them e.g. in a Bloom filter data structure.

• Brute-force contract pre-computation to find a collision with any address within the stored set in step 1.

References

• EIP-3607, which rationale is this exact attack. The EIP is in final state.

• A blog post discussing the cost (money and time) of this exact attack.

The hashrate of the BTC network has reached 6.5 x 10^20 hashes per second as of time of writing, taking only just 31 minutes to achieve 2^80 hashes. A fraction of this computing power will still easily find a collision in a reasonably short timeline.

Impact

Address collision leading to DOS for users

Tools Used

Various articles

Recommendations

Adding msg.sender to the salt argument passed to cloneDeterministically will resolve this issue.