Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Front-Running Vulnerability in `initializeAccount`

0xabhayy
## Summary
The [initializeAccount](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/Nexus.sol#L218) function is vulnerable to front-running attacks. This vulnerability allows a malicious actor to `initialize` the account with their own data, potentially taking control of the Nexus smart account.
## Vulnerability Details
The initializeAccount function can be called in a separate transaction, allowing a malicious actor to front-run the call with their own initialization data.
Exploit Scenario:
A legitimate user initiates the [createAccount](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/factory/NexusAccountFactory.sol#L44) function with their initData and salt
The transaction is broadcast to the network and enters the transaction pool.
A malicious actor monitors the transaction pool for createAccount transactions.
The malicious actor submits their transaction with a higher gas price, causing it to be mined before the legitimate user's transaction.
The front-running transaction calls `initializeAccount` with the malicious actor's initData, taking control of the Nexus smart account.
## Impact
A malicious actor can take control of the Nexus smart account by front-running the `initializeAccount` function with their own initialization data.
## Tools Used
Manual Review
## Recommendations
Implement access control mechanisms, such as using a modifier to restrict access to the initializeAccount function.
for example the EtherSpot Smart Account [InitializeAccount](https://github.com/etherspot/etherspot-prime-contracts/blob/11552705ba4c47693672b5e7c1bba5d5b1085df8/src/modular-etherspot-wallet/wallet/ModularEtherspotWallet.sol#L337-L347).
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Other
Assigned finding tags:

finding-front-running-initializeAccount

Invalid, - Checked [here](https://github.com/rhinestonewtf/sentinellist/blob/6dff696f39fb55bfdde9581544d788932f145e47/src/SentinelList.sol#L30-L32) based on `SentinelListLib` used as dependencies as seen [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/interfaces/base/IStorage.sol#L34-L35). Contract cannot be reinitialized - front-running initializers invalid per [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid)

Appeal created

0xabhayy Submitter
11 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Other
Assigned finding tags:

finding-front-running-initializeAccount

Invalid, - Checked [here](https://github.com/rhinestonewtf/sentinellist/blob/6dff696f39fb55bfdde9581544d788932f145e47/src/SentinelList.sol#L30-L32) based on `SentinelListLib` used as dependencies as seen [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/interfaces/base/IStorage.sol#L34-L35). Contract cannot be reinitialized - front-running initializers invalid per [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.