Closed c4-bot-2 closed 3 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #56
See #105.
3docSec marked the issue as duplicate of #59
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/MagicSpend/MagicSpend.sol#L143
Vulnerability details
Impact
A hacker can drain the funds in just one transaction. This can be achieved by executing a userOp with an extremely high gas parameter
Proof of Concept
a hacker sets preVerificationGas value to 99 ETH. This value is deducted from the
MagicSpend
and sent to the hacker who runshandleOps()
.Tools Used
manual , foundry
Recommended Mitigation Steps
add a global rate limit and a contract specific limit
Verification of gas settings in
validateUserOp
to prevent malicious bundlers from draining the PaymasterThe architecture to charge compensation for executing userOp not from sponsors, but directly from the users. This implies deducting other types of cryptocurrencies that users hold in their wallets, such as USDT, for instance.
Restrict all gas parameters in
userOp
so that runningentryPoint.handleOps()
becomes unprofitable. Doing this reliably is challengingAssessed type
ETH-Transfer