HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: low
Valid

entryPoint() function cannot be overridden

Summary

entryPoint() function cannot be overridden, due to that it has no virtual keyword.

Vulnerability Details

As stated by the comment of entryPoint() function, this function is supposed to be overriden to return a different EntryPoint address if needed.

/// @notice Retrieves the address of the EntryPoint contract, currently using version 0.7.
/// @dev This function returns the address of the canonical ERC4337 EntryPoint contract.
@> /// It can be overridden to return a different EntryPoint address if needed.
/// @return The address of the EntryPoint contract.
function entryPoint() external view returns (address) {
return _ENTRYPOINT;
}

However, this function is not defined by using virtual keyword, hence it cannot be overridden as expected.

Impact

entryPoint() function cannot be overridden.

Tools Used

Manual Review

Recommendations

Add virtual keyword to entryPoint() function so that it can be overridden

- function entryPoint() external view returns (address) {
+ function entryPoint() external virtual view returns (address) {
return _ENTRYPOINT;
}
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-entrypoint-cannot-be-overriden

Valid low, since `_ENTRYPOINT` is defined by deployer within the `Nexus.sol` [contract](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/Nexus.sol#L76), so even if unchanged the account could still be used. The only current supported entry point contract would be [here](https://github.com/eth-infinitism/account-abstraction/blob/develop/contracts/core/EntryPoint.sol#L605). Additionally `Nexus.sol` is an upgradeable contract, so entrypoint can be changed, so one can argue the severity of this issue could be downgraded lower.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.