Closed c4-bot-1 closed 3 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #102
On top of the comment on #102, the contract has already been so designed to handle non-ETH assets via withdraw().
This report describes a missing feature without a clear argument on what is the impact of not having it.
3docSec marked the issue as unsatisfactory: Insufficient proof
Thanks for judging @3docSec ,
I confirmed that withdraw()
is meant to be called in execution through bundler + entry point, by the documentation bot and information provided by @raymondfam (who was responsible for answering questions throughout the contest).
The sponsor also verified two methods for utilizing the withdraw()
function:
execute()
on SCW to initiate withdraw()
.withdraw()
is invoked during execution through bundler + entry point.Method 1:
Owners have the option to directly call withdraw()
without relying on bundler + entry point. However, this necessitates the owner to request a withdrawal signature from Coinbase.com (userOp(withdrawRequest)
to bundler), then scan the mem-pool for the required withdrawRequest
input parameter in withdraw()
. Subsequently, the owner can use execute()
to invoke withdraw()
on SCW. Although functional, this approach is suboptimal and undermines the purpose of SCW.
Method 2:
Attempting to use withdraw()
with bundler + entry point will result in a revert, as it exclusively supports ETH in validatePaymasterUserOp()
. It's worth mentioning that Coinbase.com permits users to purchase various tokens beyond ETH and it's unreasonable to assume Non-ETH tokens are not supported.
Based on the current implementation, withdraw()
is NOT compatible with bundler + entry point at all. withdraw()
ETH will revert (see #102 for the reason why it reverts), and non-ETH tokens are not supported.
I would argue this is a design flaw rather than missing feature. Maybe the sponsor can take a look?
Side note: this is not a dupe of #102 which talks about a different issue.
Hi @Henrychang26, I see your point, it makes sense, but still the limitation is on use cases that don’t have to be supported for the wallet’s core functionality that is to function as an ERC-4337 compatible account abstraction tool.
@3docSec
I agree this is limitation on use cases and does not impact wallet's core functionality. This report was submitted based on the grounds that, withdraw()
is designed to be used with bundler + entry point according multiple sources including README and it does not work as intended.
I have no further information to add. I believe this deserves at least QA if not valid medium severity. I respect whatever your decision is.
Thank you!
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/main/src/MagicSpend/MagicSpend.sol#L109 https://github.com/code-423n4/2024-03-coinbase/blob/main/src/MagicSpend/MagicSpend.sol#L181 https://github.com/code-423n4/2024-03-coinbase/blob/main/src/MagicSpend/MagicSpend.sol#L334
Vulnerability details
Impact
Non-ETH tokens are not supported in
withdraw()
when called through bundler + entry point.Proof of Concept
Based on sponsor,
withdraw()
can be used in two ways.execute()
function, enabling a call towithdraw()
with a validwithdrawRequest
.withdraw()
is executed within the transaction flow.Current UI on Coinbase.com ONLY supports
withdraw()
through bundler + entry point per sponsor.This report particularly focuses on scenario 2, where
withdraw()
is processed through the bundler + entry point.It's important to highlight that the
withdraw()
function is designed to support both ETH and other valid tokens, as evident from the_withdraw()
implementation.When utilizing the bundler + entry point, the process unfolds as follows:
withdraw()
) to the bundler.validateUserOp()
with Smart Contract Wallet (SCW), then decreases PayMaster deposits.validatePaymasterUserOp()
on MagicSpend/PayMaster. Within this function, it examines whetherwithdrawRequest.asset != address(0)
. Given that address(0) denotes ETH, any non-ETH token will trigger a revert condition.Tools Used
Manual Review
Recommended Mitigation Steps
Consider refactoring
validatePaymasterUserOp()
to 2 scenarios. Scenario 1 handles ETH Scenario 2 handles withdraw of any Non-ETH token.Assessed type
Error