https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L86
Using staticcall instead of call for fallback handlers can lead to several issues:
Non-compliance with ERC-7579: The contract does not adhere to the standard, which may lead to interoperability issues with other compliant modules and smart accounts.
Functionality Limitation: staticcall restricts the fallback handler from modifying state, which may be necessary for certain operations, leading to potential failures or unexpected behavior.
Security Risks: The use of staticcall may introduce security vulnerabilities if the fallback handler relies on state changes to enforce certain checks or balances.
A user sends a transaction to the ModuleManager contract with a function signature that maps to a fallback handler with CALLTYPE_STATIC.
The fallback function retrieves the handler and determines the call type.
The contract uses staticcall to invoke the handler.
If the handler attempts to modify the state, the call fails, leading to a revert and potential denial of service.
Recommended Mitigation Steps
Replace staticcall with call to ensure compliance with the ERC-7579 standard and allow fallback handlers to modify state as needed.
Invalid, although ERC7579 is violated, staticcall is a desired supported fallback call type as seen in the [documentation](https://github.com/bcnmy/nexus/wiki/Execution-Framework#key-concepts), and there will be no exploit possible
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.