Closed code423n4 closed 1 year ago
gzeon-c4 marked the issue as primary issue
I am not quite sure if CREATE will revert or return 0, but even then seems to be state handling issue and low risk.
The only time a create will fail is that if the creation code reverts at some point. As it's not subject to change, then there is no instance when the create returns an address(0).
livingrockrises marked the issue as sponsor disputed
livingrockrises requested judge review
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccountFactory.sol#L53-L61
Vulnerability details
The
deployWallet
function present in theSmartAccountFactory
contract deploys a new wallet by creating a Proxy that points to a base implementation using assembly.https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccountFactory.sol#L53-L61
The call to create may fail, in which case the result of proxy will be 0. Citing evm.codes from
CREATE
opcode section:Since the result value of the create call isn't checked, the proxy creation can silently fail while the
deployWallet
function still succeeds.Impact
If the call to create fails, then the wallet (the Proxy itself) won't exist while the enclosing call to
deployWallet
will be successful.Note that the call to
init
in line 59 will succeed too, since theaddress(0)
has no code. Citing again evm.codes from theCALL
opcode section:This means that the call to
deployWallet
will succeed and return theaddress(0)
as the wallet's address. This will potentially cause loss of funds, as the user or any other integration may inadvertently send funds to this address.PoC
SmartAccountFactory.deployWallet
with valid parameterscreate
on line 57 fails and returns 0.init
on 59 still succeeds as theaddress(0)
has no code.address(0)
as the result.Recommendation
Add a check to verify that the call to create succeeded (
proxy != address(0)
).