Non-unique attesters can cause denial of service
https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts/factory/RegistryFactory.sol#L57-L59
https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts/base/RegistryAdapter.sol#L27
Summary
The RegistryFactory contract lacks a mechanism to prevent the addition of duplicate attesters.
While the addAttester function is restricted to being callable only by the owner, it is impractical to expect the owner to manually keep track of all attester addresses and prevent duplicates.
Vulnerability Details
The contract allows the owner to add attesters using the addAttester function. However, there is no check to ensure that the attester being added is not already present in the attesters array. This oversight can result in multiple instances of the same attester being added to the array.
Relevant Code:
According to the interface IERC7484, the trustAttesters function allows smart accounts to appoint multiple attesters as trusted. This function explicitly states that it will revert if duplicates are provided in the attesters array. Here is the interface for reference:
Attesters play a crucial role in the protocol as they are responsible for verifying and validating modules within the Nexus system.
If the RegistryFactory contract does not prevent the addition of duplicate attesters, it can lead to issues when smart accounts owner interact with the registry using the trustAttesters function. The presence of duplicate attesters in the attesters array would cause the function to revert.
Impact
Duplicate attesters can cause the trustAttesters function to revert, preventing the smart account owner to choose which attesters to trust.
Tools Used
Manual code review
Recommendations
To prevent the addition of duplicate attesters, implement a check in the addAttester function to ensure the attester is not already present in the attesters array.
Lead Judging Commences
finding-ERC7848-add-duplicate-attester
Invalid, - Addition of attesters are admin only functionalities so if duplicate addresses are added it would consitute admin input/call validation. - ERC-7484 is in draft mode so we should not take it as the final EIP configuration yet. - Even if a mistake was made, removals can be performed by invoking `removeAttester` multiple times by the owner to completely remove a duplicate user. - In the [documentation](https://github.com/bcnmy/nexus/wiki#problems-nexus-solves), it is not noted that Nexus suite will be ERC7484 compliant.
Appeal created
finding-ERC7484-sorted-duplicate-attestor-issue
Invalid, similar issue to #151 and duplicates - Addition of attesters are admin only functionalities so if duplicate addresses are added it would consitute admin input/call validation. - ERC-7484 is in draft mode so we should not take it as the final EIP configuration yet. - In the [documentation](https://github.com/bcnmy/nexus/wiki#problems-nexus-solves), it is not noted that Nexus suite will be ERC7484 compliant.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.