validateUserOp does not check if missingAccountFunds matchs the signature

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/BaseSmartAccount.sol#L60-L68

Vulnerability details

validateUserOp function does not check to see if missingAccountFunds uint256 matchs the signature or not . this can be abused if an attacker front run the tx and call validateUserOp in entrypoint using same sig but with a different missingaccountfunds number which can make the call in user's side revert however no missing funds will accure here but this one will put a lot of problem for EOA users and many 3rd parties that are trying to interact with their accounts using this contract . if a user wants to pay whole the missingAccountFunds in one tx front running the function with less missingAccountFunds will cause the next one to underflow / overflow and revert which will force users to do it again and again and can be so gas and time consuming

[c4-judge]

gzeon-c4 marked the issue as duplicate of #125

[livingrockrises]

this is supposed to be called by only EntryPoint which is global trustless contract.

[c4-sponsor]

livingrockrises marked the issue as sponsor disputed

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Invalid