Biconomy: Nexus

HardhatFoundry
30,000 USDC
Submission Details
Severity: medium
Valid

Anyone can call the fallbackFunction because of missing authorization control

Updates

Lead Judging Commences

0xnevi Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-fallback-missing-access-control-module-manager

There is indeed no access control within `fallback()` function which violates ERC7579 spec but the impact shown by all issues is insufficient. Need a better impact description/PoC that exceeds violation of ERC7579 to raise the severity of this issue. There will likely be no exploit for staticcall types, given there is not [state change/funds transfer allowed](https://www.rareskills.io/post/solidity-staticcall), so the possible vulnerability would be in the `CALLTYPE_SINGLE`. If no sufficient proof is provided to show a possible exploit, I will likely invalidate these issues.

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.

Cyfrin
Updraft
CodeHawks
Solodit
Resources