Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Once a module has been installed, it may not be uninstalled

forgetfore1

Summary

Once a module has been installed, it may not be uninstalled, leading to a Denial of Service (DoS) on the Nexus::uninstallModule(uint256, address, bytes calldata) function for this module.

Vulnerability Details

When a module is installed, it may not be uninstalled using the function Nexus::uninstallModule(uint256, address, bytes calldata). This is because the module could revert the whole transaction when the function IModule::onUninstall(bytes calldata) is called on it during the execution of Nexus::uninstallModule(uint256, address, bytes calldata). This behavior could lead to a DoS on the uninstallModule function for a given module. The vulnerability lies in the fact that the only way to uninstall a module relies on a function of the module itself.

Proof of Code

contract ModuleHook is IHook {

uint constant hookId = 1;

function preCheck(address msgSender, uint256 msgValue, bytes calldata msgData) external returns (bytes memory hookData) {

// code

}

function postCheck(bytes calldata hookData) external {

// code

}

function onUninstall(bytes calldata data) external {

revert();

}

function onInstall(bytes calldata data) external {

// Installation code

}

function isModuleType(uint256 moduleTypeId) external view returns (bool) {

return hookId == moduleTypeId;

}

function isInitialized(address smartAccount) external view returns (bool) {

// Initialization code

}

If a user chooses to install this Hook module for any reason on their Nexus account, it cannot be uninstalled due to the call to the ModuleHook::onUninstall(bytes calldata data) function during the execution of Nexus::uninstallModule(uint256, address, bytes calldata).

Impact

The impact of this vulnerability could lead to a DoS on the Nexus::uninstallModule(uint256, address, bytes calldata) function, preventing the uninstallation of a given module.

Tools Used

Manual review

Recommendations

To resolve this issue, it is recommended to add a Nexus::forceUninstallModule(uint256 moduleTypeId, address module, bytes calldata deInitData) function. This function should allow a user to force the uninstallation of a module from their Nexus Account without invoking any functions on the module itself. By bypassing the module's internal functions, this approach prevents a module from causing a Denial of Service (DoS) during the uninstallation process, ensuring the integrity and functionality of the Nexus system.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Appeal created

forgetfore1 Submitter

about 1 year ago

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.