author : taek lee
auditing at Spearbit
Last week, I was going through eth-infinitism’s account-abstraction contract repository and found some vulnerability in their sample codes. I have contacted eth-infinitism about the vulnerability and approved to share this to public.
tldr; Your funds are safe if you are not running VerifyingPaymaster
target code : https://github.com/eth-infinitism/account-abstraction
commit hash : 6dea6d8752f64914dd95d932f673ba0f9ff8e144
I am a security researcher but I am not a erc4337 expert, need to follow up with researchers for rationale on design choices thus my solutions may conflict with their spec or intentions.
And this report does not mean that smart contract does not contain any other security flaws. I have focused on malicious signature replay events.
ERC4337 contract is composed of 1) EntryPoint, 2) Sender(Account) 3) Paymaster 4) Aggregator
Aggregator is important but i’m skipping this because it is not relevant to the findings.
EntryPoint is the only component that needs to be trusted. Sender and Paymaster should trust EntryPoint.
EntryPoint is where Bundlers executes transaction. Passed transactions will be unbundled into UserOperation and then it will be verified/executed based on the logic.
Also EntryPoint is expected to be deployed only once but can be deployed multiple times if there are needs for the upgrade.