Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unauthorized Removal of Validators For Smart Wallet Accounts

sancybars

Summary

A critical vulnerability has been identified in the validator uninstallation process where the `onUninstall` function lacks access control. This allows an attacker to remove validators directly, bypassing the security requirement of having at least one validator for the account to function properly. This vulnerability compromises the integrity and security of the smart wallet, allowing unauthorized control and actions.

This issue is more impactful in cases where multisig validation modules are used, a rouge signatory can restrict functionlity for all other usres.

Vulnerability Details

The vulnerability arises from the lack of access control in the `onUninstall` function of the validator contract.

function onUninstall(bytes calldata) external {
delete smartAccountOwners\[msg.sender];
}

However this function is intended to be called from the `moduleManager` where prevent measure is taken to prevent users from removing last validators

function _uninstallValidator(address validator, bytes calldata data) internal virtual {
SentinelListLib.SentinelList storage validators = _getAccountStorage().validators;
(address prev, bytes memory disableModuleData) = abi.decode(data, (address, bytes));
// Check if the account has at least one validator installed before proceeding
// Having at least one validator is a requirement for the account to function properly
require(!(prev == address(0x01) && validators.getNext(validator) == address(0x01)), CannotRemoveLastValidator());
validators.pop(prev, validator);
IValidator(validator).onUninstall(disableModuleData);
}

1. **Direct Call to onUninstall**:

- Any user can directly call the `onUninstall` function from any address.

- This function call will delete the ownership record of the smart account associated with the caller's address.

2. **Bypass Last Validator Check**:

- The `_uninstallValidator` function ensures that at least one validator remains.

- By directly calling `onUninstall`, this check is bypassed, allowing all validators to be removed.

Example Attack Scenario

- **Step 1**: The attacker identifies the address of a validator.

- **Step 2**: The attacker calls the `onUninstall` function directly from their address.

- **Step 3**: The `onUninstall` function deletes the ownership record of the smart account without any access control checks.

- **Step 4**: The attacker repeats this for all validators, leaving the smart account without any validators

If all validators are removed, the validation process for user operations (userOps) will fail. This would prevent users from being able to execute any transactions, effectively causing a redundancy smart wallet system. Because theentryPointwill fail to call validateUserOpto verify the data.

Impact

Bypassing Security Mechanism

Attackers can remove all validators, effectively disabling the validation mechanism. With account not functioning properly.

Tools Used

Manual Code Review

Recommendations

Ensure that critical functions like `onUninstall` can only be called through the intended workflow.

Allow only `moduleManager` access to the `onUnistall` function

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

finding-K1Validator-access-control-issues

- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.