[Medium-3] Non-compliance with EIP-4337 #498
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-02
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/BaseSmartAccount.sol#L60-L68
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/aa-4337/core/EntryPoint.sol#L319-L329
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/BaseSmartAccount.sol#L60-L68
Vulnerability details
Impact
Some parts of the codebase are not compliant with the EIP-4337 from the EIP-4337 specifications, at multiple degrees of severity.
Proof of Concept
Sender existence
If we take a look at the
_createSenderIfNeeded()
function, we can see that it's not properly implemented:The statement in the EIP implies that if the account does not exist, the initcode must be used.
In this case, it first check if the initcode exists, but this condition should be checked later.
This could be rewritten to:
Account
The third specification of the
validateUserOp()
is the following:This is currently not the case, as the case when the account does not support signature aggregation is not supported right now in the code. The
validateUserOp()
reverts everytime if the recovered signature does not match.Additionally, the
validateUserOp()
should return a time range, as per the EIP specifications:This isn't the case. It just returns a signature deadline validity, which would probably be here the
validUntil
value.Aggregator
This part deals with the aggregator interfacing:
This aggregator address validation is not done.
Tools Used
Manual inspection
Recommended Mitigation Steps
Refactor the code that is not compliant with the EIP
The text was updated successfully, but these errors were encountered: