search

code-423n4 / 2024-03-coinbase-findings

1 stars 0 forks source link

Malicious bundler can steal funds from `MagicSpend` #140

Closed c4-bot-2 closed 3 months ago

c4-bot-2 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/MagicSpend/MagicSpend.sol#L143

Vulnerability details

Impact

A hacker can drain the funds in just one transaction. This can be achieved by executing a userOp with an extremely high gas parameter

Proof of Concept

a hacker sets preVerificationGas value to 99 ETH. This value is deducted from the MagicSpend and sent to the hacker who runs handleOps().

Tools Used

manual , foundry

Recommended Mitigation Steps

  1. Almost all gas parameters in userOp allow a hacker to set an arbitrarily high reward for themselves when calling entryPoint.handleOps()

  1. add a global rate limit and a contract specific limit

  2. Verification of gas settings in validateUserOp to prevent malicious bundlers from draining the Paymaster

  3. The architecture to charge compensation for executing userOp not from sponsors, but directly from the users. This implies deducting other types of cryptocurrencies that users hold in their wallets, such as USDT, for instance.

  4. Restrict all gas parameters in userOp so that running entryPoint.handleOps() becomes unprofitable. Doing this reliably is challenging

Assessed type

ETH-Transfer

c4-pre-sort commented 3 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 3 months ago

raymondfam marked the issue as duplicate of #56

raymondfam commented 3 months ago

See #105.

c4-judge commented 3 months ago

3docSec marked the issue as duplicate of #59

c4-judge commented 3 months ago

3docSec marked the issue as unsatisfactory: Invalid