author : taek lee

auditing at Spearbit


Last week, I was going through eth-infinitism’s account-abstraction contract repository and found some vulnerability in their sample codes. I have contacted eth-infinitism about the vulnerability and approved to share this to public.

tldr; Your funds are safe if you are not running VerifyingPaymaster

Summary

target code : https://github.com/eth-infinitism/account-abstraction

commit hash : 6dea6d8752f64914dd95d932f673ba0f9ff8e144

Disclaimer

I am a security researcher but I am not a erc4337 expert, need to follow up with researchers for rationale on design choices thus my solutions may conflict with their spec or intentions.

And this report does not mean that smart contract does not contain any other security flaws. I have focused on malicious signature replay events.

Background

ERC4337 contract is composed of 1) EntryPoint, 2) Sender(Account) 3) Paymaster 4) Aggregator

Aggregator is important but i’m skipping this because it is not relevant to the findings.

EntryPoint

EntryPoint is the only component that needs to be trusted. Sender and Paymaster should trust EntryPoint.

EntryPoint is where Bundlers executes transaction. Passed transactions will be unbundled into UserOperation and then it will be verified/executed based on the logic.

Also EntryPoint is expected to be deployed only once but can be deployed multiple times if there are needs for the upgrade.

Sender