HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: medium
Invalid

Project is not ERC-7579 compliant

Vulnerability Details

One of the main invariants is that Biconomy is fully compliant with ERC-7579. This is stated in the README.md and multiple times in the Docs. The problem is that, this iteration of Biconomy is not fullly ERC-7579 compliant.

One of the things that MUST be implemented is the following, as per the EIP-7579:

/**
* @dev This function is called by the smart account during uninstallation of the module
* @param data arbitrary data that may be required on the module during `onUninstall` de-initialization
*
* MUST revert on error
*/
function onUninstall(bytes calldata data) external;

The problem is that this revert does not happen in K1Validator.onUninstall(), which is a module(of the type, Validator):
K1Validator.sol#L59-L62

/// @notice Called upon module uninstallation to remove the owner of the smart account
function onUninstall(bytes calldata) external {
delete smartAccountOwners[msg.sender];
}

This breaks the main invariant of Biconomy, namely being fully compliant with ERC-7579 as assumed in the README.md and the Docs.

Impact

This breaks one of the critical invariants set by the project.

Tools Used

Manual Review

Recommendations

Revert in the onUninstall() function.

Updates

Lead Judging Commences

0xnevi Lead Judge
12 months ago
0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

bronzepickaxe Submitter
12 months ago
0xnevi Lead Judge
11 months ago
bronzepickaxe Submitter
11 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.