Bootstrap not validated before the delegate call allows for arbitrary validator and executor
Summary
In the SmartAcount initialization process an attacker can provide a malicious bootstrap contract. This allows the attacker to set their own validators, executors, and other modules, effectively gaining unauthorized control over the wallet.
The issue stems from the use of `delegatecall` to an unverified bootstrap contract, which can manipulate the wallet's storage and bypass any protocol-related checks.
Vulnerability Details
The vulnerability arises from the `initializeAccount` function, which decodes the bootstrap contract address and function call from the provided `initData` and performs a `delegatecall` to the bootstrap contract without verifying its integrity or legitimacy.
ExploitationExample
1. **Initialization with Malicious Bootstrap Contract**:
- An attacker can create a bootstrap contract with a function that sets their own validators, executors, and modules.
- During the account creation process, this bootstrap contract is passed in the `initData`.
2. **Delegatecall to Malicious Contract**:
- The `delegatecall` retains the storage context of the smart wallet, allowing the malicious bootstrap contract to manipulate the wallet's storage directly.
3. **Bypass Protocol Checks**:
- The attacker can bypass any protocol-related checks and constraints by setting their own modules and validators.
- This allows the attacker to perform unauthorized transactions and operations within the wallet.
Example Attack Scenario
- **Step 1**: The attacker calls `createAccount` with `initData` containing the address of a malicious bootstrap contract and the function selector to initialize the account with attacker-controlled modules.
- **Step 2**: The `initializeAccount` function decodes the bootstrap contract address and executes `delegatecall`.
- **Step 3**: The malicious bootstrap contract sets the attacker's validators and modules, giving the attacker full control over the wallet.
Impact
•Unauthorized Validators and Executors
Attackers can approve unauthorized transactions and execute arbitrary functions. All in the context of the Nexus Account
•Storage Manipulation
Attackers can modify critical configuration parameters and state variables. Since it is a delegateCall
•Bypass Protocol Checks
Attackers can bypass any protocol-related checks and constraints.
Tools Used
Manual Code Review
Recommendations
Consider requiring the bootstrap contract to be whitelisted or verified before allowing its use in the initializeAccount function.
Lead Judging Commences
finding-front-running-initializeAccount
Invalid, - Checked [here](https://github.com/rhinestonewtf/sentinellist/blob/6dff696f39fb55bfdde9581544d788932f145e47/src/SentinelList.sol#L30-L32) based on `SentinelListLib` used as dependencies as seen [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/interfaces/base/IStorage.sol#L34-L35). Contract cannot be reinitialized - front-running initializers invalid per [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.