Open hats-bug-reporter[bot] opened 1 week ago
We recognize the potential concern raised, but the issue's severity is mitigated by several factors:
BaseAccount
contract from the @account-abstraction
library already incorporates chainId validation as part of its design. This ensures that transactions are valid only on the intended chain, preventing cross-chain replay attacks.validUntil
and validAfter
fields. However, our initial assessment indicates that the chainId is indeed accounted for by the EntryPoint
.In conclusion, while the concern is valid in a multi-chain context, it does not currently apply to our single-chain deployment. The EntryPoint
contract handles chainId
validation, and our implementation adheres to the standard. Therefore, the issue is not a high-severity vulnerability in our current setup, is not of a concern because of the role that EntryPoint
plays. We consider the issue to be invalid, and it is also lacking a valid revised code file and PoC.
Github username: @0x3b33 Twitter username: -- Submission hash (on-chain): 0x0dafba3765cbcd539115fa33c3449294d1fb96d19eb17b92db269a998a30f028 Severity: high
Description: Description\
AtomWallet
's_validateSignature
internal function doesn't verify chainId consistency. This means if the same AtomWallet exists on two chains, any signature sent tovalidateUserOp
would be replayable on the second chain.This is extremely dangerous as any user can copy the transaction and send it to the AtomWallet on the other chain.
Example:\
Attachments\ Implement a check inside
_validateSignature
for chainId. For example,chainId
can be included together with thestring
anduserOpHash
.