author : taek lee

auditing at Spearbit

affected code : https://github.com/eth-infinitism/account-abstraction/tree/6aeb39663bd66a6b7eb78e85f444881b9e8d9d04

tl;dr

• develop branch’s EIP4337Manager can be destructed but does not risk user’s funds
• 0.4.0 release version gnosis based wallets are in risk of losing funds

Background

Gnosis Safe proxy supports “module” which means address that can call executeFromModule~() on safe. This is used to adding extensions for adding functionality in the safe contract.

Registration is done through safe.enableModule() function and EIP4337Fallback and EntryPoint is registered as module in this case.

Also, EIP4337Fallback is registered as fallback handler in Safe to enable functions not defined on gnosis singleton.

UserOp Flow

UserOp has to be “validated by sender” and “executed by sender”. So entrypoint first validates and executes the UserOp.

Validation

Validation of userOp is done through validateUserOp().

It is called by EntryPoint and Sender delegatecalls this data to Gnosis singleton contract. Gnosis singleton calls fallbackHandler with same msg.data since it does not have validateUserOp() in the implementation contract. As stated in Background, EIP4337Fallback is the fallbackHandler, Sender calls EIP4337Fallback’s validateUserOp().

validateUserOP() call flow #1 - validateUserOp()

And EIP4337Fallback calls back the Sender with execTransactionFromModuleReturnData() and forwards the msg.data. And Sender delegatecalls EIP4337Manager and executes validateUserOp().