Back to MyFDsYours's contests

Biconomy - Smart Contract Wallet contest - MyFDsYours's results

One-Stop solution to enable an effortless experience in your dApp to onboard new users and abstract away transaction complexities.

General Information

Platform: Code4rena

Start Date: 04/01/2023

Pot Size: $60,500 USDC

Total HM: 15

Participants: 105

Period: 5 days

Judge: gzeon

Total Solo HM: 1

Id: 200

League: ETH

Biconomy

Findings Distribution

Researcher Performance

Rank: 89/105

Findings: 1

Award: $36.50

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBiconomy

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0x1f8b, 0xAgro, 0xdeadbeef0x, 0xhacksmithh, 2997ms, Atarpara, Bnke0x0, Diana, HE1M, IllIllI, Josiah, Kalzak, Lirios, MalfurionWhitehat, MyFDsYours, Raiders, RaymondFam, Rolezn, SaharDevep, Sathish9098, Udsen, Viktor_Cortess, adriro, ast3ros, betweenETHlines, btk, chaduke, chrisdior4, cryptostellar5, csanuragjain, giovannidisiena, gz627, hl_, horsefacts, joestakey, juancito, ladboy233, lukris02, nadin, oyc_109, pauliax, peanuts, prady, sorrynotsorry, zaskoh

Awards

36.5015 USDC - $36.50

Labels

bug
grade-b
QA (Quality Assurance)
sponsor confirmed
edited-by-warden
Q-29

External Links

Link to GitHub issue

Summary

[L-01] Lack of two steps procedure for new ownership
[NC-01] RETURNDATASIZE opcode is called 3 times 
[NC-02] Repeated function getNonce() and nonce()
[NC-03] Missing docstrings
[NC-04] Unnamed return parameters

[L-01] Lack of two steps procedure for new ownership

In SmartAccount.sol L109

The owner of the smart account have critical rights, (like transferring funds, executing multiples transactions and so on), 
then it very useful to implement a two steps confirmation that gives to the owner the right to make a mistake (set an incorrect 
owner address for example) without necessarily having a great consequence.

Recommandation

Capture d’écran du 2023-01-08 14-52-26

[NC-01] RETURNDATASIZE opcode is called 3 times L25

In Proxy.sol in the fallback function, RETURNDATASIZE opcode is called 3 times.

Recommendation:

Use intermediate variables inside the assembly in Proxy.sol contract, to avoid executing opcodes
multiple times.

Instead of this:

returndatacopy(0, 0, returndatasize())
switch success
case 0 { revert(0, returndatasize()) }
default { return(0, returndatasize()) }

Use cached variable:

let rds := returndatasize()
returndatacopy(0, 0, rds)
switch success
case 0 { revert(0, rds) }
default { return(0, rds) }

Also present in ModuleManager L93

[NC-02] Repeated function getNonce() and nonce()

In SmartAccount.sol L97

These two [ getNonce() and nonce() ] have to return the number of transaction by giving the batchId; 

Having two functions that return the same thing is not necessary and can be confusing.

Recommandation

Remove the nouce() function and keep getNounce() function that is more explecit and documented

[NC-03] Missing docstrings

Throughout the codebase there are several parts that do not have docstrings. Some examples are:

L449 in the SmartAccount contract

L455 in the SmartAccount contract

L460 in the SmartAccount contract

L465 in the SmartAccount contract

L494 in the SmartAccount contract

When writing docstrings, consider following the Ethereum Natural Specification Format (NatSpec).

[NC-04] Unnamed return parameters

Consider adding and using named return parameters to improve explicitness and readability.

In SmartAccount.sol L140

Recommandation

Capture d’écran du 2023-01-09 19-58-41

#0 - c4-judge

2023-01-22T15:51:45Z

gzeon-c4 marked the issue as grade-b

#1 - c4-sponsor

2023-02-09T12:33:35Z

livingrockrises marked the issue as sponsor confirmed

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter