Griefing attacks on handleOps and multiSend logic
#499
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-01
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
|
gzeon-c4 marked the issue as duplicate of #90 |
|
gzeon-c4 marked the issue as not a duplicate |
c4-judge
added
primary issue
|
gzeon-c4 marked the issue as primary issue |
This was referenced Jan 18, 2023
|
once public will double check with infinitism community. marked acknowledged for now. and for multisend non-atomic does not make sense! |
c4-sponsor
added
the
sponsor acknowledged
|
livingrockrises marked the issue as sponsor acknowledged |
|
gzeon-c4 marked the issue as selected for report |
c4-judge
added
the
selected for report
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/5df2e8f8c0fd3393b9ecdad9ef356955f07fbbdd/scw-contracts/contracts/smart-contract-wallet/aa-4337/core/EntryPoint.sol#L68
https://github.com/code-423n4/2023-01-biconomy/blob/5df2e8f8c0fd3393b9ecdad9ef356955f07fbbdd/scw-contracts/contracts/smart-contract-wallet/libs/MultiSend.sol#L26
Vulnerability details
Description
The
handleOpsfunction executes an array ofUserOperation. If at least one user operation fails the whole transaction will revert. That means the error on one user ops will fully reverts the other executed ops.The
multiSendfunction reverts if at least one of the transactions fails, so it is also vulnerable to such type of attacks.Attack scenario
Relayer offchain verify the batch of
UserOperations, convinced that they will receive fees, then send thehandleOpstransaction to the mempool. An attacker front-run the relayers transaction with anotherhandleOpstransaction that executes only oneUserOperation, the last user operation from the relayershandleOpsoperations. An attacker will receive the funds for oneUserOperation. Original relayers transaction will consume gas for the execution of all except one, user ops, but reverts at the end.Impact
Griefing attacks on the gas used for
handleOpsandmultiSendfunction calls.Please note, that while an attacker have no direct incentive to make such an attacks, they could short the token before the attack.
Recommended Mitigation Steps
Remove redundant
require-like checks from internal functions called from thehandleOpsfunction and add the non-atomic execution logic to themultiSendfunction.The text was updated successfully, but these errors were encountered: