Platform: Code4rena
Start Date: 04/01/2023
Pot Size: $60,500 USDC
Total HM: 15
Participants: 105
Period: 5 days
Judge: gzeon
Total Solo HM: 1
Id: 200
League: ETH
Rank: 105/105
Findings: 1
Award: $22.72
๐ Selected for report: 0
๐ Solo Findings: 0
22.7235 USDC - $22.72
By using a smart contract to return the expected magic value an operator can bypass authentication checks in SmartAccount.
Bypassing the authentication would allow an operator to call other contracts using someone else's SmartAccount.
An operator can craft a signature such that it points to an address he controls. When the contract calls isValidSignature on his contract the contract returns the appropriate value. This part of the function doesnโt check if the signer matches the owner when it checks the contract signature.
operator creates a contract that returns ERC1271's magic value
operator crafts signature such that v == 0
The isValidSignature function is called on the operator's contract which returns the magic value
The contract executes the operators transaction
Require at least two signatures when using a contract signature so that one of the signatures can be used to verify the call came from the owner.
#0 - c4-judge
2023-01-17T06:56:52Z
gzeon-c4 marked the issue as duplicate of #175
#1 - c4-sponsor
2023-01-26T00:10:01Z
livingrockrises marked the issue as sponsor confirmed
#2 - c4-judge
2023-02-10T12:28:23Z
gzeon-c4 marked the issue as satisfactory