Platform: Code4rena
Start Date: 04/01/2023
Pot Size: $60,500 USDC
Total HM: 15
Participants: 105
Period: 5 days
Judge: gzeon
Total Solo HM: 1
Id: 200
League: ETH
Rank: 59/105
Findings: 1
Award: $78.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xDave, 0xbepresent, HE1M, Kutu, betweenETHlines, hansfriese, hihen, peanuts, prc, wait
78.2598 USDC - $78.26
https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L460 https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L465
The function _requireFromEntryPointOrOwner() is being called within the execute() and executeBatch() functions to check if the msg.sender is either the owner or the EntryPoint contract, but these functions have onlyOwner() modifier, which will only allow the owner to execute these functions.
function execute(address dest, uint value, bytes calldata func) external onlyOwner { _requireFromEntryPointOrOwner(); _call(dest, value, func); } function executeBatch(address[] calldata dest, bytes[] calldata func) external onlyOwner{ _requireFromEntryPointOrOwner(); require(dest.length == func.length, "wrong array lengths"); for (uint i = 0; i < dest.length;) { _call(dest[i], 0, func[i]); unchecked { ++i; } } }
Calling these functions from the EntryPoint contract will fail
VSCode
Remove onlyOwner modifier from both functions
#0 - c4-judge
2023-01-18T00:40:46Z
gzeon-c4 marked the issue as duplicate of #390
#1 - c4-sponsor
2023-01-26T06:35:29Z
livingrockrises marked the issue as sponsor confirmed
#2 - c4-judge
2023-02-10T12:21:30Z
gzeon-c4 marked the issue as satisfactory