Summary

The Smart Account does not verify the security attestations for the Fallback handler being used, which can lead to loss of funds from a compromised Fallback Handler.

Vulnerability Details

One of the core principles behind ERC7579 is to be less opinionated about the module permission model while still being reasonably secure by allowing off-chain entities to "attest" to the security of a module in an on-chain registry. These off-chain entities can create and revoke attestation when they see fit. In particular, an attestation may be revoked after being made if a vulnerability is found later.

It is therefore important that in addition to the attestations being verified at the time of module installation, they must also be verified in each transaction when the module is being used. This is also demonstrated in the codebase with the execution module flow, with checks performed at module installation as well as usage.

However, in the case of Fallback Handlers, it is observed that the checks are not performed in the fallback function.

Impact

Suppose the security of a Fallback Handler is not verified during each execution. In that case, it may lead to a compromised fallback handler module being used despite its attestations being revoked. This can lead to a direct loss of funds across all Smart Accounts in which the fallback handler is installed.

Tools Used

Code Inspection.

Recommendations

A registry check should be added to the fallback() function of ModuleManager