Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Biconomy PasskeyRegistry and SessionKeyManager
GeneralOverview
Findings
Critical (1)
High (3)
Medium (1)
DiscussionVulnerable MerkleProof library versionThe `validateSessionUserOp` uses offsets
Threat ModelWhat are threat models?ERC20SessionValidationModule.solPasskeyRegistryModule.solSessionKeyManagerModule.sol
Audit ResultsSummary
Biconomy Labs
August 14, 2023
Biconomy PasskeyRegistry and SessionKeyManager
Findings Impact LevelCount
Critical1
High3
Medium1
Low0
Informational0
CriticalHighMediumLowInformational
Prepared by
Katerina BelotskaiaEngineer[email protected]
Ulrich MyhreEngineer[email protected]
About

Biconomy PasskeyRegistry and SessionKeyManager are modules for Biconomy Smart Account.

The PasskeyRegistry module is an authorization module that enables users to deploy a smart contract wallet without an externally owned account (EOA) while relying on passkeys instead. Users can effortlessly generate wallets leveraging their biometric data, thereby eliminating the need to recall intricate private keys or passphrases.

Session keys are a powerful concept of temporary user-issued cryptographic keys that are authorized to sign only a predefined set of operations. Biconomy introduces a modular approach to session keys to unlock as much use cases as possible in an efficient and reliable way.

Executive Summary

Zellic conducted a security assessment for Biconomy Labs from August 8th to August 14th, 2023. During this engagement, Zellic reviewed Biconomy PasskeyRegistry and SessionKeyManager's code for security vulnerabilities, design issues, and general weaknesses in security posture.

Zellic © 2023Back to top ↑