Closed code423n4 closed 1 year ago
gzeon-c4 marked the issue as duplicate of #318
you're right. it has to be rebased with the latest code (0.4.0).
livingrockrises marked the issue as sponsor confirmed
gzeon-c4 marked the issue as satisfactory
gzeon-c4 marked the issue as duplicate of #498
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L511
Vulnerability details
Impact
Results in unexpected behavior in the EntryPoint contract.
Proof of Concept
As said in the official specification of EIP-4337: "If the account does not support signature aggregation, it MUST validate the signature is a valid signature of the userOpHash, and SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch. Any other error should revert.". SmartAccount._validateSignature does the opposite and reverts if the signature is invalid which will be wrong interpret by the EntryPoint contract.
Tools Used
Manual review
Recommended Mitigation Steps
Return SIG_VALIDATION_FAILED instead of revert in SmartAccount._validateSignature: