Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Accounts can be bricked by selfdestruct()ing implementations, using forged immutable args

MSaptarshi007

Summary

The clone-with-immutable-args pattern is unsafe to use when one of the immutable arguments controls an address being delegated to.

Vulnerability Details

an attacker is able to forge the calldata that the proxy normally would forward, and can cause the implementation to selfdestruct() itself via a delegatecall(). The current code has a vulnerability, where every account performs a delegatecall() to an address coming from the factory, which is a forgeable immutable argument.

In createAccount the AccountImplementationargs is a immutable arg , and it passes the initData passed as a arg in the fuunction without proper sanitation, which after creating the account passes the initData

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/NexusAccountFactory.sol#L44

(bool alreadyDeployed, address account) = LibClone.createDeterministicERC1967(msg.value, ACCOUNT_IMPLEMENTATION, actualSalt);

if (!alreadyDeployed) {

INexus(account).initializeAccount(initData);

emit AccountCreated(account, initData, salt);

}

and, This is where the initData is decoded and delegate calls to the address after decoding

function initializeAccount(bytes calldata initData) external payable virtual {

_initModuleManager();

(address bootstrap, bytes memory bootstrapCall) = abi.decode(initData, (address, bytes));

(bool success, ) = bootstrap.delegatecall(bootstrapCall);

require(success, NexusInitializationFailed());}

Impact

The main issue is, privileges defined in the reference implementation have control over that instance, and could eventually force a destruction of the contract using a fallback handler with a selfdestruct instruction

Tools Used

Manual Review

Recommendations

Use a state/contract variable for anything requiring being delegated to.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.