Biconomy: Nexus

Biconomy

HardhatFoundry

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect `msg.sender` Check Causes Execution Failure in `Nexus::executeFromExecutor`

0xabhayy

## Summary

The [executeFromExecutor](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/Nexus.sol#L137) function fails to correctly validate the `executor` module due to the use of `msg.sender` in the `withRegistry` modifier. This causes the execution to always fail as the check is performed on the smart account's address instead of the executor module's address.

## Vulnerability Details

The function `Nexus::executeFromExecutor` allows [ERC-7579](https://eips.ethereum.org/EIPS/eip-7579) executor

modules to execute operations on behalf of Nexus smart accounts.

```javascript

function executeFromExecutor(

ExecutionMode mode,

bytes calldata executionCalldata

) external payable onlyExecutorModule withHook

-> withRegistry(msg.sender, MODULE_TYPE_EXECUTOR)

returns (bytes[] memory returnData)

```

The `withRegistry` modifier should verify that the sender module is attested as an executor module by trusted attesters with a given threshold. However, the execution always fails because the check is performed for the address of the `Nexus Smart Account` rather than the address of the `executor module`.

## Impact

Executor modules cannot be used, preventing automated operations and potentially disrupting the functionality of smart accounts relying on these modules.

[Similar Finding (please go to Page 29)](https://github.com/rhinestonewtf/safe7579/blob/main/audits/ackee-blockchain-rhinestone-safe7579-report.pdf)

## Tools Used

Manual Review

## Recommendations

Replace `msg.sender` with `_msgSender()` in the `withRegistry` modifier to correctly validate the executor module's address.

```diff

function executeFromExecutor(

ExecutionMode mode,

bytes calldata executionCalldata

) external payable onlyExecutorModule withHook

-- withRegistry(msg.sender, MODULE_TYPE_EXECUTOR)

++ withRegistry(_msgSender(), MODULE_TYPE_EXECUTOR)

returns (bytes[] memory returnData)

```

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

finding-withRegistry-wrong-msg.sender-check

Invalid, I believe there is no issue here, the caller is the executor module, so there will be no reverts. Otherwise, please provide a PoC to prove a revert.

Appeal created

0xabhayy Submitter

11 months ago

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

finding-withRegistry-wrong-msg.sender-check

Invalid, I believe there is no issue here, the caller is the executor module, so there will be no reverts. Otherwise, please provide a PoC to prove a revert.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,433

21 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.