Assessment reportsPublic findings
Back to Zellic site
Assessment reports>AccountRecoveryModule>Threat Model>validateUserOp
GeneralOverview
Findings
High (1)
Low (1)
DiscussionGuardians could prevent account recovery
Threat ModelWhat are threat models?
AccountRecoveryModule.soladdGuardianchangeGuardianParamsinitForSmartAccountremoveExpiredGuardianremoveGuardianrenounceRecoveryRequestreplaceGuardiansetSecurityDelaysetThresholdsubmitRecoveryRequestvalidateUserOp
Audit ResultsSummary
AppendixMissing selector validation POC

Function: validateUserOp(UserOperation userOp, byte[32] userOpHash)

This function validates submitted user operations. It allows executing previously submitted recovery requests (after the security delay has elapsed) and submitting new recovery requests (which have to be signed by a sufficient number of guardians).

Inputs

  • userOp

    • Control: Partial (the most important field, callData, is arbitrary).

    • Constraints: callData must either correspond to a previous recovery request or represent a valid, signed recovery request submission.

    • Impact: Operation to be validated.

  • userOpHash

    • Control: None.

    • Constraints: None.

    • Impact: Hash of the userOp, computed by the entry point.

Branches and code coverage

Intended branches

  • Validates a previously submitted recovery request (starting from the end of the security delay period).

  • Allows submitting a new recovery request if properly signed and valid.

Negative behavior

  • Reverts if the module is not configured or the threshold is zero.

  • Reverts if not enough signatures are supplied.

  • Reverts if one (or more) signatures are invalid (do not match the guardian).

  • Reverts if one (or more) signatures correspond to an unauthorized guardian.

  • Reverts if one (or more) signatures are repeated or not in the correct order.

  • Reverts if the operation does not match a previous recovery request and is not a recovery request submission.

Zellic © 2024Back to top ↑