code4rena-2023-01-biconomy-l11

[L-11] init() function can be called by anybody

보고서

Summary

누구나 initialize 함수를 호출할 수 있다 지적했다.

Keyword

upgradable, initialize

Vulnerability

• contracts/smart-contract-wallet/SmartAccount.sol#L166)

contracts/smart-contract-wallet/SmartAccount.sol:
  166:     function init(address _owner, address _entryPointAddress, address _handler) public override initializer { 
  167:         require(owner == address(0), "Already initialized");
  168:         require(address(_entryPoint) == address(0), "Already initialized");
  169:         require(_owner != address(0),"Invalid owner");
  170:         require(_entryPointAddress != address(0), "Invalid Entrypoint");
  171:         require(_handler != address(0), "Invalid Entrypoint");
  172:         owner = _owner;
  173:         _entryPoint =  IEntryPoint(payable(_entryPointAddress));
  174:         if (_handler != address(0)) internalSetFallbackHandler(_handler);
  175:         setupModules(address(0), bytes(""));
  176:     }

누구나 init 함수를 호출할 수 있다 지적했다. 이는 Factory에서 배포 후 바로 호출되는 함수이지만, 그래도 권한을 확인하라고 제안했다.

Impact

아무나 init을 호출해 초기화할 수 있다.

Mitigation

if (msg.sender != DEPLOYER_ADDRESS) {
    revert NotDeployer();
}

Memo

이걸 upgradable logic 컨트랙트 초기화와 엮어 High을 받았는데..

---

tags: bughunting, smart contract, biconomy, account abstraction, erc4337, upgradeable, initialize error, wallet, severity low