Closed c4-bot-4 closed 3 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #111
Inadequate elaboration compared to #111.
3docSec marked the issue as not a duplicate
User frontrunning their own UserOperation
seems like a systemic risk of ERC-4337 bundlers; the mitigation suggested does not seem feasible.
3docSec marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/27873bc8881bc79ea21d1868cb13b58ab58ffdbd/src/SmartWallet/CoinbaseSmartWallet.sol#L1-L336
Vulnerability details
Impact
A user can manipulates the state of their
CoinbaseSmartWallet
between a bundler's validation and transaction submission, causing the transaction to fail and the bundler to miss out on fees.Proof of Concept
Here's how such a scenario could unfold:
User Prepares Operation: Alice, a user of the
CoinbaseSmartWallet
, requests aUserOperation
to be processed by a bundler. She provides all necessary information, including the current nonce and the set of wallet owners.Bundler Validates: The bundler receives Alice's
UserOperation
and validates it. The bundler checks that the nonce is correct and that Alice's wallet has enough funds to cover the gas fees for the transaction.Intentional State Change: After receiving confirmation of validation from the bundler but before the bundler submits the transaction, Alice intentionally calls the
executeBatch
function on herCoinbaseSmartWallet
. She includes a transaction that updates the nonce and changes the ownership structure of the wallet. Alternatively, she could call_authorizeUpgrade
to upgrade the contract to a new implementation, significantly altering the wallet's state.Bundler Submits: The bundler, unaware of the recent changes, submits Alice's
UserOperation
to the network, expecting it to succeed as it had passed validation.Transaction Fails: The network processes the bundler's submission, but the transaction fails because the state of Alice's wallet no longer matches the state expected by the UserOperation. The nonce is incorrect, the ownership may have changed, or the contract code is different due to the upgrade. As a result, the bundler does not receive the reward they anticipated for including the transaction.
Transaction failure problem.
Tools Used
Manual review
Recommended Mitigation Steps
Locking Mechanism: Implement a mechanism to lock the state during the critical period between a bundler's validation and the submission of the UserOperation.
Penalties: Implement penalties for users who frequently cause transactions to fail after validation.
Assessed type
Error