Biconomy: Nexus

Summary

The RegistryAdapter contract is designed to interact with an attestation registry (IERC7484) that manages attestations provided by trusted entities. The purpose of this contract is to ensure that only modules with sufficient valid attestations are used. However, upon closer inspection, it appears that the contract does not fully implement the logic to check for sufficient attestations before executing critical functions.

Vulnerability Details

HERE:

function _configureRegistry(IERC7484 newRegistry, address[] calldata attesters, uint8 threshold) internal { registry = newRegistry; if (address(newRegistry) != address(0)) { newRegistry.trustAttesters(threshold, attesters); } emit ERC7484RegistryConfigured(newRegistry); }

This function sets up the attestation registry, trusts specified attesters, and defines the threshold for attestations. It emits an event ERC7484RegistryConfigured upon successful configuration. This part of the contract is implemented correctly.

HOWEVER HERE:

function _checkRegistry(address module, uint256 moduleType) internal view {
IERC7484 moduleRegistry = registry;
if (address(moduleRegistry) != address(0)) {
moduleRegistry.check(module, moduleType);
}
}

This function is supposed to check if a module has sufficient attestations by interacting with the registry. However, it only calls the check function of the registry without explicitly verifying if the module meets the attestation threshold. There is no mechanism to revert the transaction if the module does not have sufficient attestations.

Impact

The main reason for the intended implimentation of the check function is to ensure that certain level of attestations are reached before execution and without valid check, compromises the contract which affects other important functionalities which depends on the integrity of this smart contract.

Tools Used

Manual

Recommendations

Modify the _checkRegistry function to include explicit checks for the required attestations before allowing a module to proceed.