Back to Koala's contests

Coinbase Smart Wallet - Koala's results

Smart Wallet from Coinbase Wallet

General Information

Platform: Code4rena

Start Date: 14/03/2024

Pot Size: $49,000 USDC

Total HM: 3

Participants: 51

Period: 7 days

Judge: 3docSec

Id: 350

League: ETH

Coinbase

Findings Distribution

Researcher Performance

Rank: 21/51

Findings: 1

Award: $36.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCoinbase

Findings Information

🌟 Selected for report: 0xmystery

Also found by: 0xbrett8571, 0xhacksmithh, 7ashraf, Bigsam, Circolors, IceBear, Jorgect, Koala, Limbooo, SBSecurity, Tigerfrake, ZanyBonzy, aycozynfada, cheatc0d3, cryptphi, d3e4, doublespending, foxb868, gpersoon, imare, jesjupyter, lsaudit, robriks, shealtielanz, y4y

Awards

36.3397 USDC - $36.34

Labels

bug
downgraded by judge
grade-a
QA (Quality Assurance)
sufficient quality report
:robot:_08_group
duplicate-18
Q-11

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/CoinbaseSmartWallet.sol#L189-L212

Vulnerability details

Impact

Every owner of the smart wallet can add or remove other owners to/from the smart wallet, and can also remove all owners from the smart wallet.

Proof of Concept

Owners can interact with the smart wallet with the UserOperation and also can interact directly using execute and executeBatch function of the CoinbaseSmartWallet.

https://github.com/code-423n4/2024-03-coinbase/blob/main/src/SmartWallet/CoinbaseSmartWallet.sol#L189-L212

    /// @notice Execute the given call from this account.
    ///
    /// @dev Can only be called by the Entrypoint or an owner of this account (including itself).
    ///
    /// @param target The target call address.
    /// @param value  The call value to user.
    /// @param data   The raw call data.
    function execute(address target, uint256 value, bytes calldata data) public payable virtual onlyEntryPointOrOwner {
        _call(target, value, data);
    }

    /// @notice Execute the given list of calls from this account.
    ///
    /// @dev Can only be called by the Entrypoint or an owner of this account (including itself).
    ///
    /// @param calls The list of `Call`s to execute.
    function executeBatch(Call[] calldata calls) public payable virtual onlyEntryPointOrOwner {
        for (uint256 i; i < calls.length;) {
            _call(calls[i].target, calls[i].value, calls[i].data);
            unchecked {
                ++i;
            }
        }
    }

_call(target, value, data) allows any owner can do any operation using CoinbaseSmartWallet.

So, malicious owner can call this _call function to add or remove the owners of the CoinbaseSmartWallet.

And all of the asset and operations of the CoinbaseSmartWallet can be managed by any ower.

So it have the same vulnerabilities of the traditional EOA.

Tools Used

Manual review

Add the additional sercurity functions to prevent the traditional vulnerabilities.

And restrict the permission to add or remove the owners.

Assessed type

Other

#0 - c4-pre-sort

2024-03-21T22:14:22Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-03-21T22:14:29Z

raymondfam marked the issue as duplicate of #18

#2 - raymondfam

2024-03-21T22:14:37Z

See #18.

#3 - c4-pre-sort

2024-03-22T22:32:17Z

raymondfam marked the issue as duplicate of #22

#4 - c4-pre-sort

2024-03-24T14:46:48Z

raymondfam marked the issue as duplicate of #181

#5 - c4-judge

2024-03-27T08:58:20Z

3docSec marked the issue as not a duplicate

#6 - c4-judge

2024-03-27T08:58:28Z

3docSec marked the issue as duplicate of #18

#7 - c4-judge

2024-03-27T10:20:16Z

3docSec changed the severity to QA (Quality Assurance)

#8 - c4-judge

2024-03-27T10:22:08Z

3docSec marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter