Back to 0xbrett8571's contests

Coinbase Smart Wallet - 0xbrett8571's results

Smart Wallet from Coinbase Wallet

General Information

Platform: Code4rena

Start Date: 14/03/2024

Pot Size: $49,000 USDC

Total HM: 3

Participants: 51

Period: 7 days

Judge: 3docSec

Id: 350

League: ETH

Coinbase

Findings Distribution

Researcher Performance

Rank: 16/51

Findings: 2

Award: $57.62

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCoinbase

Findings Information

🌟 Selected for report: 0xmystery

Also found by: 0xbrett8571, 0xhacksmithh, 7ashraf, Bigsam, Circolors, IceBear, Jorgect, Koala, Limbooo, SBSecurity, Tigerfrake, ZanyBonzy, aycozynfada, cheatc0d3, cryptphi, d3e4, doublespending, foxb868, gpersoon, imare, jesjupyter, lsaudit, robriks, shealtielanz, y4y

Awards

36.3397 USDC - $36.34

Labels

bug
downgraded by judge
grade-a
insufficient quality report
primary issue
QA (Quality Assurance)
:robot:_21_group
Q-25

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L85-L87 https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L93-L95

Vulnerability details

Overview

MultiOwnable contract allows adding owners by providing an Ethereum address or a WebAuthn public key. However, there is a lack of proper input validation when adding owners, which could potentially lead to the addition of invalid or malformed owner data. This may result in signature validation failures for the affected owners, effectively bricking their ability to execute transactions.

Description

addOwnerAddress and addOwnerPublicKey, which are responsible for adding new owners to the SmartWallet contract.

addOwnerAddress function:

function addOwnerAddress(address owner) public virtual onlyOwner {
    _addOwner(abi.encode(owner));
}

addOwnerPublicKey function:

function addOwnerPublicKey(bytes32 x, bytes32 y) public virtual onlyOwner {
    _addOwner(abi.encode(x, y));
}

Both functions take the owner data (Ethereum address or WebAuthn public key) as input, encode it using abi.encode, and pass it to the internal _addOwner function.

The issue lies in the lack of proper input validation when adding owners using the addOwnerAddress and addOwnerPublicKey functions.

In the addOwnerAddress function, there is no explicit validation to ensure that the provided owner parameter is a valid Ethereum address. Similarly, in the addOwnerPublicKey function, there is no validation to check if the provided x and y parameters form a valid WebAuthn public key.

#L86

_addOwner(abi.encode(owner));

and #L94

_addOwner(abi.encode(x, y));

These lines encode the owner data without any prior validation and pass it to the _addOwner function, which adds the owner to the contract's storage.

The expected behavior is that only valid Ethereum addresses and WebAuthn public keys should be accepted as owners when calling the addOwnerAddress and addOwnerPublicKey functions, respectively. The functions should perform proper input validation to ensure the integrity and validity of the owner data before adding it to the contract.

Due to the lack of validation, the addOwnerAddress and addOwnerPublicKey functions allow the addition of invalid or malformed owner data. For example, an invalid Ethereum address or a malformed WebAuthn public key can be added as an owner without any checks or restrictions.

When attempting to execute transactions using the invalid owner data, the signature validation process in the _validateSignature function will fail. This is because the _validateSignature function expects the owner data to be in a specific format (32 bytes for Ethereum address or 64 bytes for WebAuthn public key) and performs certain checks on the data.

If the owner data is invalid or malformed, the signature validation will always fail for that specific owner, effectively bricking their ability to execute transactions.

Impact

Owners with invalid Ethereum addresses or malformed WebAuthn public keys will be unable to execute transactions, as the signature validation will always fail for them.

For addOwnerAddress function:

function addOwnerAddress(address owner) public virtual onlyOwner {
+      require(owner != address(0), "Invalid Ethereum address");
    _addOwner(abi.encode(owner));
}

For addOwnerPublicKey function:

function addOwnerPublicKey(bytes32 x, bytes32 y) public virtual onlyOwner {
+      require(isValidWebAuthnPublicKey(x, y), "Invalid WebAuthn public key");
    _addOwner(abi.encode(x, y));
}

function isValidWebAuthnPublicKey(bytes32 x, bytes32 y) internal pure returns (bool) {
    // Implement WebAuthn public key validation logic
    // Example: Check if the point (x, y) is on the secp256r1 curve
    // ...
}

These measures ensure that only valid Ethereum addresses and WebAuthn public keys are accepted as owners. The addOwnerAddress function checks if the provided address is not the zero address, while the addOwnerPublicKey function includes a separate validation function (isValidWebAuthnPublicKey) to check the validity of the WebAuthn public key.

Assessed type

Invalid Validation

#0 - raymondfam

2024-03-22T01:01:08Z

removeOwnerAtIndex can always be used to counter mistakes done through addOwnerAddress and addOwnerPublicKey.

#1 - c4-pre-sort

2024-03-22T01:01:11Z

raymondfam marked the issue as insufficient quality report

#2 - c4-pre-sort

2024-03-22T01:01:15Z

raymondfam marked the issue as primary issue

#3 - 3docSec

2024-03-27T10:00:29Z

QA is more appropriate for user mistakes.

#4 - c4-judge

2024-03-27T10:00:41Z

3docSec changed the severity to QA (Quality Assurance)

#5 - c4-judge

2024-03-27T10:00:45Z

3docSec marked the issue as grade-a

Findings Information

🌟 Selected for report: roguereggiant

Also found by: 0xbrett8571, 0xepley, Circolors, JCK, JcFichtner, LinKenji, MSK, Myd, SAQ, SBSecurity, albahaca, cheatc0d3, clara, emerald7017, fouzantanveer, foxb868, hunter_w3b, kaveyjoe, popeye, unique

Awards

21.2754 USDC - $21.28

Labels

analysis-advanced
grade-b
sufficient quality report
A-19

External Links

Link to GitHub issue

: Coinbase Smart Wallet

1. Introduction

The Coinbase Smart Wallet is an advanced, multi-owner wallet system built on the Ethereum blockchain. It leverages cutting-edge technologies such as WebAuthn authentication and the ERC-4337 standard to provide a secure and flexible solution for managing digital assets. The smart wallet aims to enhance user experience and security by offering features like multiple ownership, cross-chain compatibility, and upgradability.

2. Approach

  1. Code Review: A detailed examination of the smart contract code, including the SmartWallet, WebAuthnSol, FreshCryptoLib, and MagicSpend components.
  2. Architecture Analysis: Assessing the overall architecture of the smart wallet system, identifying potential risks and areas for improvement.
  3. Invariant Verification: Verifying the correct implementation and preservation of stated invariants for each component.
  4. Attack Vector Analysis: Investigating potential attack vectors and vulnerabilities, such as unauthorized fund movements, account bricking, cross-chain replay attacks, invalid withdraw requests, griefing attacks, and false positives/negatives in validation.
  5. Centralization and Admin Control: Evaluating centralization risks and potential admin abuse scenarios.
  6. Documentation Review: Examining technical documentation, audit reports, and other relevant resources to gain a comprehensive understanding of the protocol's intended functionality.

3. Architecture Risks and Recommendations

3.1 Upgradability Mechanism

The Coinbase Smart Wallet utilizes the UUPS (Universal Upgradeable Proxy Standard) pattern for contract upgradability. While this pattern provides flexibility for future enhancements, it also introduces potential risks if not implemented securely.

Risks:

  • Malicious or buggy implementation upgrade could compromise the wallet's functionality and security.
  • Unauthorized upgrades by a single owner could introduce vulnerabilities or alter the wallet's behavior.

Recommendations:

  • Implement a multi-signature or time-lock mechanism for contract upgrades to mitigate single-point-of-failure risks.
  • Thoroughly review and test any new implementation before deploying an upgrade.
  • Consider implementing emergency pause functionality to halt upgrades in case of a security incident.

Architecture Overview

The Coinbase Smart Wallet consists of several key components:

  1. SmartWallet: The core contract that manages the wallet's functionality, including owner management, transaction execution, and cross-chain replay protection.
  2. MultiOwnable: A contract that handles the management of multiple owners, allowing them to collectively control the wallet.
  3. WebAuthnSol: A library that integrates WebAuthn authentication into the smart wallet, enabling secure transaction authorization using WebAuthn-compatible devices.
  4. FreshCryptoLib: A library that provides cryptographic functions for signature verification, specifically for the secp256r1 curve used in WebAuthn.
  5. MagicSpend: A component that enables signature-based withdrawals and acts as a paymaster for gas fee management.

These components work together to provide a comprehensive and secure smart wallet solution.

1. Architecture Overview Diagram

graph LR
    A[User] --> B[SmartWallet]
    B --> C[MultiOwnable]
    B --> D[WebAuthnSol]
    B --> E[FreshCryptoLib]
    B --> F[MagicSpend]
    G[EntryPoint] --> B
    H[Ethereum Network] --> B
    I[WebAuthn Providers] --> D

The diagram illustrates the high-level components of the Coinbase Smart Wallet and their interactions. The SmartWallet contract acts as the central component, interacting with the MultiOwnable, WebAuthnSol, FreshCryptoLib, and MagicSpend contracts. The EntryPoint contract and the Ethereum Network communicate with the SmartWallet, while WebAuthn Providers integrate with the WebAuthnSol library.

2. Architecture View

graph LR
    A[User] --> |Owns| B[SmartWallet]
    B --> |Uses| C[MultiOwnable]
    C --> |Manages| D[Owners]
    B --> |Authenticates with| E[WebAuthnSol]
    E --> |Verifies with| F[FreshCryptoLib]
    B --> |Withdraws with| G[MagicSpend]
    H[EntryPoint] --> |Validates and Executes| B
    I[Ethereum Network] --> |Hosts and Interacts with| B
    J[WebAuthn Providers] --> |Provides Authentication for| E

The View with diagram provides a more detailed representation of the smart wallet's architecture. It showcases the relationships between the components and the key functionalities they enable. The MultiOwnable contract manages the wallet owners, the WebAuthnSol library handles authentication using WebAuthn, the FreshCryptoLib library performs cryptographic verification, and the MagicSpend contract facilitates withdrawals. The EntryPoint contract validates and executes transactions, while the Ethereum Network hosts and interacts with the smart wallet.

3.2 Owner Management

The smart wallet allows multiple owners, identified by their Ethereum addresses or WebAuthn public keys, to manage the wallet collectively.

Risks:

  • Malicious owners could add or remove other owners, potentially leading to unauthorized access or loss of funds.
  • Lack of proper validation when adding owners could result in invalid or duplicate owner addresses/keys.

Recommendations:

  • Implement additional access control mechanisms, such as multi-signature requirements or time-locks, for critical owner management functions.
  • Perform thorough validation of owner addresses and WebAuthn public keys to ensure their uniqueness and validity.
  • Consider implementing an owner removal process that requires approval from a majority of owners to prevent a single owner from removing others.

3. Admin Flow

graph LR
    A[Admin] --> |Deploys and Initializes| B[SmartWallet]
    A --> |Adds Owners| C[MultiOwnable]
    A --> |Upgrades Contract| D[UUPSUpgradeable]
    A --> |Sets Entry Point| E[EntryPoint]
    A --> |Manages Funds| F[MagicSpend]

The Admin Flow illustrates the actions and responsibilities of the smart wallet administrators. Admins deploy and initialize the SmartWallet contract, add owners through the MultiOwnable component, upgrade the contract using the UUPSUpgradeable pattern, set the EntryPoint address, and manage funds through the MagicSpend contract.

Risks:

  • Centralized control: Admins have significant control over the smart wallet, which could lead to centralization risks if not properly managed.
  • Upgradeability: Contract upgrades, if not thoroughly tested and audited, could introduce vulnerabilities or unexpected behavior.

4. User Flow

graph LR
    A[User] --> |Authenticates with| B[WebAuthn]
    A --> |Sends Transaction| C[SmartWallet]
    C --> |Validates Signature| D[WebAuthnSol]
    D --> |Verifies with| E[FreshCryptoLib]
    C --> |Executes Transaction| F[Ethereum Network]
    A --> |Withdraws Funds| G[MagicSpend]

The User Flow showcases the typical user interactions with the Coinbase Smart Wallet. Users authenticate using WebAuthn, send transactions to the SmartWallet contract, which validates the signature using the WebAuthnSol library and FreshCryptoLib for verification. The SmartWallet then executes the transaction on the Ethereum Network. Users can also withdraw funds through the MagicSpend contract.

Risks:

  • WebAuthn integration: Incorrect implementation or vulnerabilities in the WebAuthn integration could lead to unauthorized access or signature validation failures.
  • Withdraw requests: Invalid or malicious withdraw requests could potentially exploit the MagicSpend contract if not properly validated.

4. Codebase Quality Analysis

4.1 Code Structure and Readability

The codebase follows a modular structure, separating concerns into different contracts and libraries. The code is well-commented and follows a consistent naming convention, enhancing readability and maintainability.

However, some areas for improvement include:

  • More detailed documentation explaining the purpose and functionality of each contract and function.
  • Consistent use of error messages and event emissions for better debugging and monitoring.
  • Clearer separation of concerns between the smart wallet core functionality and external dependencies.

4.2 Use of External Libraries and Contracts

The smart wallet integrates external libraries and contracts, such as Solady's Ownable and UUPSUpgradeable, WebAuthnSol, and ERC1271.

Risks:

  • Vulnerabilities or bugs in the external dependencies could propagate to the smart wallet system.
  • Incorrect integration or misuse of external contracts could introduce security risks.

Recommendations:

  • Thoroughly review and audit the external libraries and contracts before integration.
  • Regularly monitor and update the dependencies to ensure they are up to date with the latest security patches.
  • Implement a dependency management system to track and manage external dependencies effectively.

5. Core Contract

graph LR
    A[SmartWallet] --> |Calls| B[MultiOwnable]
    A --> |Calls| C[WebAuthnSol]
    C --> |Uses| D[FreshCryptoLib]
    A --> |Calls| E[MagicSpend]
    F[EntryPoint] --> |Validates and Calls| A
    A --> |Executes on| G[Ethereum Network]

Illustrates the interactions between the core contracts of the Coinbase Smart Wallet. The SmartWallet contract acts as the central hub, calling the MultiOwnable contract for owner management, the WebAuthnSol library for authentication (which in turn uses FreshCryptoLib for cryptographic operations), and the MagicSpend contract for withdrawals. The EntryPoint contract validates and calls the SmartWallet, which executes transactions on the Ethereum Network.

Risks:

  • Contract interactions: Unexpected behavior or vulnerabilities in the interactions between contracts could lead to security risks.
  • Dependency on external contracts: The smart wallet relies on external contracts and libraries, which could introduce risks if not properly audited and maintained.

6. Contract Analysis

graph LR
    A[SmartWallet] --> |Centralization Risk| B[Owner Control]
    A --> |Systematic Risk| C[Ethereum Network]
    A --> |Mechanism Review| D[Access Control]
    A --> |Mechanism Review| E[Signature Validation]
    A --> |Mechanism Review| F[Withdraw Requests]
    A --> |Mechanism Review| G[Cross-Chain Replay Protection]

The Contract focuses on the key areas of analysis for the Coinbase Smart Wallet:

4.3 Error Handling and Validation

The codebase includes various error handling mechanisms, such as custom error types and require statements, to validate input and handle exceptional scenarios.

However, there are areas where error handling and validation can be improved:

  • More consistent use of custom error types across all contracts for better error tracing and handling.
  • Additional input validation for critical functions, such as owner management and fund transfers.
  • Implementing a centralized error handling mechanism to ensure consistent error reporting and logging.

5. Centralization Risks and Admin Control Abuse

5.1 Owner Privileges

The smart wallet grants significant privileges to the owners, including the ability to add/remove owners, upgrade contracts, and execute transactions.

  • Owner Control: The smart wallet relies on a multi-owner model, where owners have significant control over the wallet's functionalities. This concentration of power could lead to centralization risks if not properly managed.

Risks:

  • Malicious or compromised owners could abuse their privileges to manipulate the wallet's functionality or steal funds.
  • Concentration of power among a small group of owners could lead to centralization risks.

Recommendations:

  • Implement a multi-signature mechanism for critical owner actions, requiring approval from multiple owners.
  • Establish clear guidelines and procedures for owner responsibilities and accountability.
  • Consider implementing a time-lock mechanism for certain owner actions to allow for a review period before execution.

5.2 Admin Control

The smart wallet does not have a dedicated admin role, but the owners collectively act as the administrators of the wallet.

Risks:

  • Owners could collude to make decisions that are not in the best interest of the wallet users.
  • Lack of transparency in owner actions could lead to mistrust and potential abuse of power.

Recommendations:

  • Implement a governance mechanism that involves wallet users in decision-making processes.
  • Establish clear rules and guidelines for owner actions and ensure transparency through event emissions and logging.
  • Consider implementing a dispute resolution mechanism to handle conflicts between owners and users.

6. Mechanism Review

6.1 Signature Validation

The smart wallet supports both Ethereum-based signatures (ERC-1271) and WebAuthn authentication for transaction authorization.

  • Access Control: The smart wallet implements access control mechanisms, such as the onlyOwner modifier, to restrict certain actions to authorized owners. Thorough review and testing of these mechanisms are crucial to ensure their effectiveness.
    • Signature Validation: The smart wallet relies on WebAuthn and cryptographic libraries for signature validation. Proper implementation and security of these components are essential to prevent unauthorized access.
    • Withdraw Requests: The MagicSpend contract handles withdraw requests, which need to be carefully validated to prevent invalid or malicious withdrawals.
    • Cross-Chain Replay Protection: The smart wallet includes cross-chain replay protection mechanisms, which should be reviewed and tested to ensure their effectiveness in preventing replay attacks across different chains.

Risks:

  • Incorrect implementation of signature validation could lead to unauthorized access or fund transfers.
  • Vulnerabilities in the WebAuthn verification process could compromise the wallet's security.

Recommendations:

  • Thoroughly test the signature validation mechanism, including edge cases and potential attack vectors.
  • Regularly audit and update the WebAuthn integration to ensure its security and compatibility with the latest standards.
  • Consider implementing additional security measures, such as rate limiting and IP blocking, to prevent brute-force attacks on signature validation.

6.2 Cross-Chain Replay Protection

The smart wallet includes a mechanism to prevent cross-chain replay attacks by using a unique identifier (REPLAYABLE_NONCE_KEY) for transactions that are allowed to be replayed across chains.

Risks:

  • Improper implementation of the replay protection mechanism could allow unauthorized replays of transactions.
  • Insufficient validation of replayable transactions could lead to unintended consequences or vulnerabilities.

Recommendations:

  • Thoroughly test the cross-chain replay protection mechanism to ensure its effectiveness and correctness.
  • Implement additional checks and validations for replayable transactions to prevent potential abuse or unintended behavior.
  • Consider implementing a whitelist or allowlist approach for specifying the functions that are allowed to be replayed across chains.

7. Systemic Risks

7.1 Dependency on External Systems

The smart wallet relies on external systems, such as the Ethereum network and WebAuthn authentication providers, for its functionality.

  • Ethereum Network: The smart wallet operates on the Ethereum blockchain, making it susceptible to any systematic risks associated with the Ethereum network, such as network congestion, forks, or consensus failures.

Risks:

  • Failures or vulnerabilities in the underlying Ethereum network could impact the wallet's availability and security.
  • Compromised or malicious WebAuthn authentication providers could lead to unauthorized access to user wallets.

Recommendations:

  • Implement robust error handling and fallback mechanisms to handle external system failures gracefully.
  • Regularly monitor and assess the security and reliability of external dependencies.
  • Consider implementing multiple WebAuthn authentication providers to mitigate the risk of a single point of failure.

Risk Assessment

1. Unauthorized Fund Movement

One of the primary risks associated with the smart wallet is the potential for unauthorized fund movement. Malicious actors may attempt to exploit vulnerabilities in the contract code or gain unauthorized access to owner accounts to transfer funds without permission.

Mitigation:

  • The smart wallet implements strict access control mechanisms, such as the onlyOwner modifier, to ensure that only authorized owners can initiate fund transfers.
  • The execute and executeBatch functions, which are used to execute transactions, are protected by the onlyEntryPointOrOwner modifier, restricting access to the EntryPoint contract and wallet owners.

Code snippet:

function execute(address target, uint256 value, bytes calldata data) public payable virtual onlyEntryPointOrOwner {
    _call(target, value, data);
}

2. Account Bricking

Another risk is the possibility of an attacker bricking the smart wallet, rendering it unusable. This could occur if an attacker gains control of the wallet and removes all owners or performs malicious actions that make the wallet inaccessible.

Mitigation:

  • The smart wallet includes safeguards to prevent the removal of all owners. The removeOwnerAtIndex function checks if removing an owner would leave the wallet without any owners and reverts the transaction if true.
  • The wallet also implements a multi-signature mechanism, requiring multiple owners to approve critical actions like owner removal or contract upgrades.

Code snippet:

function removeOwnerAtIndex(uint256 index) public virtual onlyOwner {
    bytes memory owner = ownerAtIndex(index);
    if (owner.length == 0) revert NoOwnerAtIndex(index);

    // Check if removing the owner would leave no owners
    if (ownerCount() == 1) revert CannotRemoveLastOwner();

    delete _getMultiOwnableStorage().isOwner[owner];
    delete _getMultiOwnableStorage().ownerAtIndex[index];

    emit RemoveOwner(index, owner);
}

3. Cross-Chain Replay Attacks

The smart wallet supports cross-chain transactions, allowing certain functions to be executed without chain ID validation. This feature introduces the risk of cross-chain replay attacks, where an attacker could replay a transaction on multiple chains, leading to unintended consequences.

Mitigation:

  • The smart wallet implements a cross-chain replay protection mechanism using the REPLAYABLE_NONCE_KEY. Transactions that are allowed to be replayed across chains are identified using this unique key.
  • The validateUserOp function checks the REPLAYABLE_NONCE_KEY and ensures that only authorized functions can be executed without chain ID validation.

Code snippet:

    function validateUserOp(UserOperation calldata userOp, bytes32 userOpHash, uint256 missingAccountFunds)
        public
        payable
        virtual
        onlyEntryPoint
        payPrefund(missingAccountFunds)
        returns (uint256 validationData)
    {
        uint256 key = userOp.nonce >> 64;


        // 0xbf6ba1fc = bytes4(keccak256("executeWithoutChainIdValidation(bytes)"))
        if (userOp.callData.length >= 4 && bytes4(userOp.callData[0:4]) == 0xbf6ba1fc) {
            userOpHash = getUserOpHashWithoutChainId(userOp);
            if (key != REPLAYABLE_NONCE_KEY) {
                revert InvalidNonceKey(key);
            }
        } else {
            if (key == REPLAYABLE_NONCE_KEY) {
                revert InvalidNonceKey(key);
            }
        }


        // Return 0 if the recovered address matches the owner.
        if (_validateSignature(userOpHash, userOp.signature)) {
            return 0;
        }


        // Else return 1, which is equivalent to:
        // `(uint256(validAfter) << (160 + 48)) | (uint256(validUntil) << 160) | (success ? 0 : 1)`
        // where `validUntil` is 0 (indefinite) and `validAfter` is 0.
        return 1;
    }

The function starts by extracting the key from the userOp.nonce. If the userOp.callData targets the executeWithoutChainIdValidation function (identified by the function selector 0xbf6ba1fc), it checks that the key matches the REPLAYABLE_NONCE_KEY. Otherwise, it ensures that the key is not the REPLAYABLE_NONCE_KEY.

The main signature validation happens in the _validateSignature function:

function _validateSignature(bytes32 message, bytes calldata signature)
    internal
    view
    virtual
    override
    returns (bool)
{
    SignatureWrapper memory sigWrapper = abi.decode(signature, (SignatureWrapper));
    bytes memory ownerBytes = ownerAtIndex(sigWrapper.ownerIndex);

    if (ownerBytes.length == 32) {
        if (uint256(bytes32(ownerBytes)) > type(uint160).max) {
            // technically should be impossible given owners can only be added with
            // addOwnerAddress and addOwnerPublicKey, but we leave incase of future changes.
            revert InvalidEthereumAddressOwner(ownerBytes);
        }

        address owner;
        assembly ("memory-safe") {
            owner := mload(add(ownerBytes, 32))
        }

        return SignatureCheckerLib.isValidSignatureNow(owner, message, sigWrapper.signatureData);
    }

    if (ownerBytes.length == 64) {
        (uint256 x, uint256 y) = abi.decode(ownerBytes, (uint256, uint256));

        WebAuthn.WebAuthnAuth memory auth = abi.decode(sigWrapper.signatureData, (WebAuthn.WebAuthnAuth));

        return WebAuthn.verify({challenge: abi.encode(message), requireUV: false, webAuthnAuth: auth, x: x, y: y});
    }

    revert InvalidOwnerBytesLength(ownerBytes);
}

The function decodes the signature as a SignatureWrapper, which contains the ownerIndex and signatureData. It retrieves the ownerBytes using the ownerAtIndex function.

If the ownerBytes length is 32, it treats it as an Ethereum address and validates the signature using SignatureCheckerLib.isValidSignatureNow.

If the ownerBytes length is 64, it treats it as a WebAuthn public key (x, y) and validates the signature using WebAuthn.verify.

Edge cases and considerations:

  • The function assumes that ownerBytes of length 32 represents a valid Ethereum address. It includes a check to ensure the address fits within uint160, but there could be other types of invalid addresses that pass this check.
  • The function assumes ownerBytes of length 64 represents a valid WebAuthn public key. It doesn't perform additional validation on the public key format or values.
  • The function uses abi.decode to decode the signature and signatureData. If the provided data doesn't match the expected format, it could lead to unexpected behavior or reverts.
  • The WebAuthn.verify function is called with requireUV: false, meaning it doesn't enforce user verification. This is a design choice, but it's worth considering if user verification should be required for certain operations.
  • The function returns 1 if the signature validation fails, which is a specific format expected by the EntryPoint. If the EntryPoint changes its format, this function would need to be updated accordingly.

To ensure the robustness of the validateUserOp function, consider the following:

  1. Review the ownerAtIndex function to ensure it correctly retrieves owner data and handles edge cases like out-of-bounds indices.
  2. Verify that the SignatureCheckerLib and WebAuthn libraries are secure and correctly integrated.
  3. Consider adding more explicit checks on the format and validity of ownerBytes and signature data.

4. Invalid Withdraw Requests

The MagicSpend component allows users to withdraw funds using signed withdraw requests. There is a risk of attackers attempting to withdraw funds using invalid or malicious withdraw requests.

Mitigation:

  • The MagicSpend contract includes thorough validation checks for withdraw requests, ensuring that only valid and authorized requests are processed.
  • The validatePaymasterUserOp function verifies the signature of the withdraw request and checks the expiry and nonce to prevent replay attacks.

Code snippet:

    function validatePaymasterUserOp(UserOperation calldata userOp, bytes32, uint256 maxCost)
        external
        onlyEntryPoint
        returns (bytes memory context, uint256 validationData)
    {
        WithdrawRequest memory withdrawRequest = abi.decode(userOp.paymasterAndData[20:], (WithdrawRequest));
        uint256 withdrawAmount = withdrawRequest.amount;


        if (withdrawAmount < maxCost) {
            revert RequestLessThanGasMaxCost(withdrawAmount, maxCost);
        }


        if (withdrawRequest.asset != address(0)) {
            revert UnsupportedPaymasterAsset(withdrawRequest.asset);
        }


        _validateRequest(userOp.sender, withdrawRequest);


        bool sigFailed = !isValidWithdrawSignature(userOp.sender, withdrawRequest);
        validationData = (sigFailed ? 1 : 0) | (uint256(withdrawRequest.expiry) << 160);


        // Ensure at validation that the contract has enough balance to cover the requested funds.
        // NOTE: This check is necessary to enforce that the contract will be able to transfer the remaining funds
        //       when `postOp()` is called back after the `UserOperation` has been executed.
        if (address(this).balance < withdrawAmount) {
            revert InsufficientBalance(withdrawAmount, address(this).balance);
        }


        // NOTE: Do not include the gas part in withdrawable funds as it will be handled in `postOp()`.
        _withdrawableETH[userOp.sender] += withdrawAmount - maxCost;
        context = abi.encode(maxCost, userOp.sender);
    }

5. False Positives/Negatives in WebAuthn and FreshCryptoLib

The smart wallet relies on the WebAuthnSol and FreshCryptoLib libraries for secure transaction authorization using WebAuthn authentication. False positives or false negatives in the validation process could lead to unauthorized access or denial of legitimate transactions.

Mitigation:

  • The WebAuthnSol library follows the WebAuthn specification closely, implementing the necessary validation steps to ensure the authenticity of WebAuthn assertions.
  • The FreshCryptoLib library has been audited and tested extensively to ensure the correctness of the cryptographic functions used for signature verification.
  • The smart wallet includes additional checks and error handling to mitigate the risk of false positives or false negatives in the validation process.

Code snippet:

function verify(bytes memory challenge, bool requireUV, WebAuthnAuth memory webAuthnAuth, uint256 x, uint256 y)
    internal
    view
    returns (bool)
{
    // ...

    if (webAuthnAuth.authenticatorData[32] & AUTH_DATA_FLAGS_UP != AUTH_DATA_FLAGS_UP) {
        return false;
    }

    if (requireUV && (webAuthnAuth.authenticatorData[32] & AUTH_DATA_FLAGS_UV) != AUTH_DATA_FLAGS_UV) {
        return false;
    }

    // ...
}

7.2 Scalability and Performance

As the usage of the smart wallet grows, scalability and performance considerations become crucial.

Risks:

  • High transaction volumes and complex computations could lead to increased gas costs and slower transaction processing.
  • Inefficient contract design or resource-intensive operations could impact the wallet's overall performance.

Recommendations:

  • Optimize the contract code for gas efficiency and minimize unnecessary computations.
  • Implement batch processing techniques to reduce the number of transactions and improve throughput.
  • Consider implementing off-chain scaling solutions, such as state channels or sidechains, to alleviate the load on the main Ethereum network.

To ensure the signature types (ERC-1271 and WebAuthn) are handled correctly with no room for bypass:

  1. isValidSignature function:
function isValidSignature(bytes32 hash, bytes calldata signature) public view virtual returns (bytes4 result) {
    if (_validateSignature(SignatureCheckerLib.toEthSignedMessageHash(hash), signature)) {
        // bytes4(keccak256("isValidSignature(bytes32,bytes)"))
        return 0x1626ba7e;
    }

    return 0xffffffff;
}

This function is the entry point for ERC-1271 signature validation. It takes a hash and a signature as input, converts the hash to an Ethereum signed message hash using SignatureCheckerLib.toEthSignedMessageHash, and then calls the internal _validateSignature function with the modified hash and the signature. If the signature is valid, it returns the ERC-1271 magic value 0x1626ba7e; otherwise, it returns 0xffffffff.

  1. _validateSignature function:
function _validateSignature(bytes32 message, bytes calldata signature)
    internal
    view
    virtual
    override
    returns (bool)
{
    SignatureWrapper memory sigWrapper = abi.decode(signature, (SignatureWrapper));
    bytes memory ownerBytes = ownerAtIndex(sigWrapper.ownerIndex);

    if (ownerBytes.length == 32) {
        if (uint256(bytes32(ownerBytes)) > type(uint160).max) {
            // technically should be impossible given owners can only be added with
            // addOwnerAddress and addOwnerPublicKey, but we leave incase of future changes.
            revert InvalidEthereumAddressOwner(ownerBytes);
        }

        address owner;
        assembly ("memory-safe") {
            owner := mload(add(ownerBytes, 32))
        }

        return SignatureCheckerLib.isValidSignatureNow(owner, message, sigWrapper.signatureData);
    }

    if (ownerBytes.length == 64) {
        (uint256 x, uint256 y) = abi.decode(ownerBytes, (uint256, uint256));

        WebAuthn.WebAuthnAuth memory auth = abi.decode(sigWrapper.signatureData, (WebAuthn.WebAuthnAuth));

        return WebAuthn.verify({challenge: abi.encode(message), requireUV: false, webAuthnAuth: auth, x: x, y: y});
    }

    revert InvalidOwnerBytesLength(ownerBytes);
}

This function is responsible for validating the signature based on the signature type (ERC-1271 or WebAuthn). It takes a message (hash) and a signature as input. The signature is decoded as a SignatureWrapper struct, which contains the ownerIndex and signatureData.

If the ownerBytes length is 32, it treats it as an Ethereum address. It checks if the ownerBytes can be converted to a valid Ethereum address (uint160). If the conversion fails, it reverts with an InvalidEthereumAddressOwner error. Otherwise, it extracts the Ethereum address from ownerBytes using assembly and validates the signature using SignatureCheckerLib.isValidSignatureNow.

If the ownerBytes length is 64, it treats it as a WebAuthn public key. It decodes the ownerBytes into x and y coordinates and decodes the signatureData as a WebAuthn.WebAuthnAuth struct. It then calls the WebAuthn.verify function to validate the signature using the provided message, x, y, and webAuthnAuth.

If the ownerBytes length is neither 32 nor 64, it reverts with an InvalidOwnerBytesLength error.

Edge cases and considerations:

  • The isValidSignature function assumes that the provided hash is a valid 32-byte hash. If the hash is not 32 bytes or is not a valid hash, the behavior may be unexpected.
  • The _validateSignature function relies on the ownerAtIndex function to retrieve the owner bytes based on the provided ownerIndex. If the ownerIndex is invalid or the ownerAtIndex function has vulnerabilities, it could affect the signature validation process.
  • The Ethereum address validation in _validateSignature only checks if the ownerBytes can be converted to a uint160. There could be other types of invalid addresses that pass this check.
  • The WebAuthn signature validation in _validateSignature relies on the correctness and security of the WebAuthn.verify function. Any vulnerabilities or weaknesses in the WebAuthn library could impact the signature validation.
  • The _validateSignature function uses abi.decode to decode the signature and signatureData. If the provided data doesn't match the expected format, it could lead to unexpected behavior or reverts.

To ensure the robustness and security of the signature validation process:

  1. Review the ownerAtIndex function to ensure it retrieves owner data correctly and securely.
  2. Consider adding more comprehensive Ethereum address validation checks beyond the uint160 conversion.
  3. Audit the WebAuthn.verify function and the WebAuthn library to ensure their correctness and security.
  4. Handle potential errors and exceptions gracefully when decoding the signature and signatureData using abi.decode.
  5. Regularly review and update the signature validation logic to align with any changes in the ERC-1271 standard or WebAuthn specifications.

The addOwnerAddress, addOwnerPublicKey, and removeOwnerAtIndex functions to verify proper access control and ensure that an owner cannot accidentally or maliciously remove all owners, making the account inaccessible.

  1. addOwnerAddress function:
function addOwnerAddress(address owner) public virtual onlyOwner {
    _addOwner(abi.encode(owner));
}

This function allows adding a new owner by providing an Ethereum address. It uses the onlyOwner modifier, which ensures that only an existing owner can call this function. The provided owner address is encoded using abi.encode and then passed to the internal _addOwner function.

  1. addOwnerPublicKey function:
function addOwnerPublicKey(bytes32 x, bytes32 y) public virtual onlyOwner {
    _addOwner(abi.encode(x, y));
}

This function allows adding a new owner by providing a WebAuthn public key (represented by x and y coordinates). Similar to addOwnerAddress, it uses the onlyOwner modifier to restrict access to only existing owners. The x and y coordinates are encoded using abi.encode and then passed to the internal _addOwner function.

  1. removeOwnerAtIndex function:
function removeOwnerAtIndex(uint256 index) public virtual onlyOwner {
    bytes memory owner = ownerAtIndex(index);
    if (owner.length == 0) revert NoOwnerAtIndex(index);

    delete _getMultiOwnableStorage().isOwner[owner];
    delete _getMultiOwnableStorage().ownerAtIndex[index];

    emit RemoveOwner(index, owner);
}

This function allows removing an owner at a specific index. It also uses the onlyOwner modifier to ensure only an existing owner can call it. The function retrieves the owner bytes at the given index using the ownerAtIndex function. If the owner bytes are empty (length == 0), it reverts with a NoOwnerAtIndex error. Otherwise, it deletes the owner from the isOwner mapping and the ownerAtIndex mapping, effectively removing the owner from the contract.

Access Control:

https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/MultiOwnable.sol#L201-L207

modifier onlyOwner() virtual {
    _checkOwner();
    _;
}

function _checkOwner() internal view virtual {
    if (isOwnerAddress(msg.sender) || (msg.sender == address(this))) {
        return;
    }

    revert Unauthorized();
}

It checks if the caller is an owner address or the contract itself. If not, it reverts with an Unauthorized error.

Preventing Removal of All Owners:

  • The removeOwnerAtIndex function allows removing an owner at a specific index. However, there is no explicit check to prevent removing the last remaining owner.
  • If an owner accidentally or maliciously calls removeOwnerAtIndex and removes all owners, the contract would become inaccessible since there would be no owners left to perform any operations.
  • To mitigate this risk, consider adding a check in the removeOwnerAtIndex function to ensure that at least one owner remains after the removal. For example: 
    function removeOwnerAtIndex(uint256 index) public virtual onlyOwner {
    // ...
    if (_getMultiOwnableStorage().currentOwnerCount == 1) revert CannotRemoveLastOwner();
    // ...
}
    This check would prevent removing the last owner and revert with a CannotRemoveLastOwner error.

Edge Cases and Considerations:

  • The addOwnerAddress and addOwnerPublicKey functions do not check for duplicate owners. If the same owner address or public key is added multiple times, it could lead to inconsistencies and unnecessary storage usage.
  • The removeOwnerAtIndex function relies on the ownerAtIndex function to retrieve the owner bytes. If the ownerAtIndex function has vulnerabilities or returns unexpected values, it could impact the removal process.
  • The removeOwnerAtIndex function emits a RemoveOwner event, but there are no corresponding events for addOwnerAddress and addOwnerPublicKey. Consider adding events for consistency and transparency.

To further enhance the security and robustness of the owner management functions:

  1. Implement checks to prevent adding duplicate owners in addOwnerAddress and addOwnerPublicKey.
  2. Ensure that the ownerAtIndex function is thoroughly tested and audited for correctness and security.
  3. Add events for addOwnerAddress and addOwnerPublicKey to provide transparency and allow monitoring of owner changes.
  4. Consider implementing additional access control mechanisms, such as requiring multiple owner approvals for critical operations like owner removal.

The upgrade functionality via UUPSUpgradeable.upgradeToAndCall to ensure it is secure and prevents a malicious owner from upgrading to a faulty implementation contract that could brick the account.

  1. upgradeToAndCall function: The upgradeToAndCall function is inherited from the UUPSUpgradeable contract provided by the Solady library. Here's the relevant code snippet from the Solady library:
function upgradeToAndCall(address newImplementation, bytes memory data) external payable virtual onlyProxy {
    _authorizeUpgrade(newImplementation);
    _upgradeToAndCallUUPS(newImplementation, data, true);
}

The function takes two parameters:

  • newImplementation: The address of the new implementation contract to upgrade to.
  • data: Additional data to be passed to the new implementation contract during the upgrade process.

The function performs the following steps:

  • Calls the _authorizeUpgrade function to check if the caller is authorized to perform the upgrade.
  • Calls the _upgradeToAndCallUUPS function to execute the actual upgrade process and pass the additional data to the new implementation contract.
  1. _authorizeUpgrade function: In the SmartWallet contract, the _authorizeUpgrade function is overridden to implement the access control for upgrades. Here's the relevant code snippet: https://github.com/code-423n4/2024-03-coinbase/blob/e0573369b865d47fed778de00a7b6df65ab1744e/src/SmartWallet/CoinbaseSmartWallet.sol#L330
function _authorizeUpgrade(address) internal view virtual override(UUPSUpgradeable) onlyOwner {}

The _authorizeUpgrade function is marked with the onlyOwner modifier, which ensures that only an owner of the SmartWallet contract can authorize an upgrade. If a non-owner tries to initiate an upgrade, the onlyOwner modifier will revert the transaction.

  1. Security Analysis:

  • The upgradeToAndCall function itself is secure as it inherits the implementation from the Solady library, which has been audited and is widely used.

  • The access control for upgrades is properly implemented using the onlyOwner modifier in the _authorizeUpgrade function. This ensures that only current owners of the SmartWallet contract can initiate an upgrade.

  • However, it's important to note that if a malicious owner is present among the current owners, they could potentially initiate an upgrade to a faulty implementation contract that could brick the account.

  • To mitigate this risk, consider implementing additional safeguards, such as:

    • Requiring multiple owner approvals for upgrades: Instead of allowing a single owner to initiate an upgrade, require a minimum number of owners to approve the upgrade before it can be executed.
    • Timelock mechanism: Introduce a timelock period between the proposal of an upgrade and its execution. This allows other owners to review and potentially cancel the upgrade if it is deemed malicious.
    • Emergency stop mechanism: Implement an emergency stop functionality that allows a designated owner or a multisig wallet to halt the upgrade process if a malicious upgrade is detected.
  1. Potential Vulnerabilities:
  • If a malicious owner is present among the current owners, they could upgrade to a faulty implementation contract that contains vulnerabilities or malicious code.
  • The _authorizeUpgrade function does not perform any additional checks on the newImplementation address. A malicious owner could potentially upgrade to a contract that is not a valid implementation or contains unexpected behavior.
  1. Recommendations:
  • Implement additional safeguards, such as multiple owner approvals, timelock, and emergency stop mechanisms, to mitigate the risk of malicious upgrades.
  • Perform thorough testing and auditing of the new implementation contract before allowing an upgrade. Ensure that the new contract is secure, follows the expected behavior, and does not introduce any vulnerabilities.
  • Consider implementing additional checks in the _authorizeUpgrade function to verify the validity and integrity of the newImplementation contract before allowing the upgrade.
  • Regularly review and monitor the upgrade process to detect and respond to any suspicious or malicious upgrade attempts.

While the current implementation of the upgrade functionality using UUPSUpgradeable.upgradeToAndCall provides basic security through the onlyOwner access control, it is important to consider the risks associated with malicious owners and implement additional safeguards to mitigate those risks.

By implementing multiple owner approvals, timelock, emergency stop mechanisms, and thorough testing and auditing of new implementation contracts, the security of the upgrade process can be significantly enhanced, reducing the chances of a malicious upgrade that could brick the account.

8. Conclusion

The Coinbase Smart Wallet codebase demonstrates a well-structured and modular design, with a focus on security and extensibility. However, there are potential risks and areas for improvement that should be addressed to enhance the wallet's overall security and reliability.

The Coinbase Smart Wallet implements various security measures and best practices to mitigate potential risks and vulnerabilities. However, it is essential to continuously monitor and audit the system to identify and address any emerging threats. Regular security assessments, code reviews, and testing should be conducted to ensure the ongoing security and reliability of the smart wallet.

By understanding the architecture, risk assessment, and mitigation strategies, developers and users can make informed decisions when interacting with the Coinbase Smart Wallet. The provided code snippets demonstrate the implementation of critical security features and serve as a reference for further analysis and improvement.

Key recommendations include:

  • Implementing robust access control mechanisms for owner management and contract upgrades.
  • Conducting thorough testing and auditing of external dependencies and integration points.
  • Enhancing error handling and input validation across the codebase.
  • Establishing clear guidelines and procedures for owner responsibilities and accountability.
  • Optimizing the contract code for gas efficiency and scalability.

By addressing these recommendations and continuously monitoring and updating the smart wallet system, Coinbase can provide a secure and trustworthy solution for users to manage their digital assets.

Time spent:

38 hours

#0 - c4-pre-sort

2024-03-22T21:17:29Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2024-03-27T10:36:56Z

3docSec marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter