Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of access control allows anyone to become a smart account validator owner

sancybars

Summary

Validator owners of smart accounts are allowed to perform transactions with the wallet. The lack of access control allows anyone call transferOwnership to become a owner.

The owner address of the smart account is used to validate userOp as anyone can set themselves to the owner they can pass any transaction they want.

Vulnerability Details

validateUserOp retrieves the owners address from the smartAccountOwnermapping to validate the signature. However the owner can be transferred by anyone to themselves

function validateUserOp(PackedUserOperation calldata userOp, bytes32 userOpHash) external view returns (uint256) {

address owner = smartAccountOwners\[userOp.sender];

if (

owner.isValidSignatureNow(ECDSA.toEthSignedMessageHash(userOpHash), userOp.signature) ||

owner.isValidSignatureNow(userOpHash, userOp.signature)

) {

return VALIDATION\_SUCCESS;

}

return VALIDATION\_FAILED;

}

https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts%2Fmodules%2Fvalidators%2FK1Validator.sol#L66

The transfer only ensured the new owner is not a zero address and not a contract. No access control allowing anyone to call transfer validator ownership.

function transferOwnership(address newOwner) external {

require(newOwner != address(0), ZeroAddressNotAllowed());

require(!\_isContract(newOwner), NewOwnerIsContract());

smartAccountOwners\[msg.sender] = newOwner;

}

Impact

Malicious owners can perform transactions and pass the `validateUserOp`

A compromised validator can steal funds or perform unauthorized actions with the smart account.

Tools Used

Manual Review

Recommendations

Include access control restricting the function to only be called by ModuleManger

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

finding-K1Validator-access-control-issues

- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.