HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: low
Invalid

Fallback function is not compliant with ERC-7579 becasue it uses `staticcall` instead of `call` to call the fallbackHandler

Lines of code

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L86

Impact

Using staticcall instead of call for fallback handlers can lead to several issues:

  1. Non-compliance with ERC-7579: The contract does not adhere to the standard, which may lead to interoperability issues with other compliant modules and smart accounts.

  2. Functionality Limitation: staticcall restricts the fallback handler from modifying state, which may be necessary for certain operations, leading to potential failures or unexpected behavior.

  3. Security Risks: The use of staticcall may introduce security vulnerabilities if the fallback handler relies on state changes to enforce certain checks or balances.

Proof of Concept

  1. A user sends a transaction to the ModuleManager contract with a function signature that maps to a fallback handler with CALLTYPE_STATIC.

  2. The fallback function retrieves the handler and determines the call type.

  3. The contract uses staticcall to invoke the handler.

  4. If the handler attempts to modify the state, the call fails, leading to a revert and potential denial of service.
    Recommended Mitigation Steps

Recommended Mitigation Steps

Replace staticcall with call to ensure compliance with the ERC-7579 standard and allow fallback handlers to modify state as needed.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

finding-ERC7579-fallback-staticcall

Invalid, although ERC7579 is violated, staticcall is a desired supported fallback call type as seen in the [documentation](https://github.com/bcnmy/nexus/wiki/Execution-Framework#key-concepts), and there will be no exploit possible

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.