Closed c4-bot-3 closed 6 months ago
raymondfam marked the issue as primary issue
raymondfam marked the issue as sufficient quality report
Detailed exploit with coded POC.
This is an EntryPoint bug / issue bundlers face, and I would consider out of scope cc @xenoliss
This is an Entrypoint related issue which I would also consider out of scope. Furthermore I think this is mitigated by the fact that Bundlers are expected to simulate the UserOps before including them in their mempool.
wilsoncusack (sponsor) disputed
Known issue with fix in out-of-scope code -> out of scope as per SC recommendation.
3docSec marked the issue as unsatisfactory: Out of scope
If I am not mistaken, bundlers can (should as it's a know issue with v0.6?) protect from these by running on-chain simulation of their bundles to ensure they don't lose funds
Lines of code
https://github.com/eth-infinitism/account-abstraction/blob/fa61290d37d079e928d92d53a122efcc63822214/contracts/core/EntryPoint.sol#L587 https://github.com/eth-infinitism/account-abstraction/blob/fa61290d37d079e928d92d53a122efcc63822214/contracts/core/EntryPoint.sol#L60-L82 https://github.com/eth-infinitism/account-abstraction/blob/fa61290d37d079e928d92d53a122efcc63822214/contracts/core/EntryPoint.sol#L108
Vulnerability details
Impact
By leveraging the
IEntryPoint.FailedOp
AA51 revert, a user can craft malicious calldata which reverts the entire bundle transaction of user operations provided toEntryPoint.handleOps()
, effectively griefing protocol actors including other users, draining bundler fund balance, and cause bundler/paymaster reputation damage.The first call of
EntryPoint._handlePostOp()
withinEntryPoint.innerHandleOp()
will trigger a second invocation of_handlePostOp()
in the outer catch block which likewise reverts again with AA51 and bubbles the revert to the top level, reverting the entire bundle.Proof of Concept
The following test file is designed for integration with the audit repository by being placed in a new "PoC" or other name dir within
2024-03-coinbase/test/SmartWallet/
and then run to observe the ability to deterministically grief attack by overloading insufficient prefund. This type of payload can be used to target a bundler and expend their balance:Tools Used
Manual review & fuzz testing to craft malicious calldata payload which overloads the calculated prefund value and triggers AA51.
Recommended Mitigation Steps
Upgrade protocol dependency on ERC4337::Entrypoint to v0.7, which addresses this griefing vector by introducing a new recognized
INNER_REVERT_LOW_PREFUND = hex'deadaa51';
constant and uses it to emit an event rather than allow the entire bundle tx to revert and cause collateral damage to the protocol's ability to continue operation.More reading on this matter:
https://blog.openzeppelin.com/erc-4337-account-abstraction-incremental-audit#insufficient-prefund
Onchain TX:
https://dashboard.tenderly.co/tx/polygon/0x73b7bf023e8c7b54a374e77bd62702eacce6877c118fef06dd5a6d4cd15954e9?trace=0.5.1
Assessed type
DoS