lemerr
commented
1 week ago Thank you for your commet!
Smart wallet owners pre-agree on a shared secret by posting its hash on-chain. Later, they can generate a proof demonstrating knowledge of the secret, which allows them to execute any transaction from their wallet. These transactions are performed in the context of the smart wallet and, by design, bypass the usual multisig signature checks. The key idea is that the wallet owners had already agreed on the secret to be used.
Of course in the demo, the security is weak for demonstration purposes (only three security questions), making it vulnerable to brute-force attacks. However, by improving the schema used to generate the secret, it's possible to achieve a much higher level of security.
https://github.com/matteocelani/zeroKey/blob/cb68013676dac095812145aa4ed3446a66014c7f/scaffold-eth/ZeroKey/packages/hardhat/contracts/ZeroKeyModule.sol#L51
Someone can batch the key update tx with a sweet tx and, due to the weak security constraints, get it executed bypassing an eventual multisig signature check