code-423n4 / 2023-01-biconomy-findings

13 stars 10 forks source link

validateUserOp does not check if missingAccountFunds matchs the signature #530

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/BaseSmartAccount.sol#L60-L68

Vulnerability details

validateUserOp function does not check to see if missingAccountFunds uint256 matchs the signature or not . this can be abused if an attacker front run the tx and call validateUserOp in entrypoint using same sig but with a different missingaccountfunds number which can make the call in user's side revert however no missing funds will accure here but this one will put a lot of problem for EOA users and many 3rd parties that are trying to interact with their accounts using this contract . if a user wants to pay whole the missingAccountFunds in one tx front running the function with less missingAccountFunds will cause the next one to underflow / overflow and revert which will force users to do it again and again and can be so gas and time consuming

c4-judge commented 1 year ago

gzeon-c4 marked the issue as duplicate of #125

livingrockrises commented 1 year ago

this is supposed to be called by only EntryPoint which is global trustless contract.

c4-sponsor commented 1 year ago

livingrockrises marked the issue as sponsor disputed

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid