Assessment reportsPublic findings
Back to Zellic site
Assessment reports>AccountRecoveryModule>Discussion>Guardians could prevent account recovery
GeneralOverview
Findings
High (1)
Low (1)
DiscussionGuardians could prevent account recovery
Threat ModelWhat are threat models?AccountRecoveryModule.sol
Audit ResultsSummary
AppendixMissing selector validation POC

Guardians could collude to prevent account recovery

Account recovery actions require a security delay before they can take effect. This is enforced by recording account-recovery requests alongside the timestamp when they are submitted. In the initial version of the code under review, additional account recovery requests could be submitted, replacing the currently pending one if it exists.

After discussing the implications of this mechanism with the Biconomy development team, the code was changed in commit to prevent submitting new account recovery requests that would replace a pending request.

The impact of either option can be felt in some unlikely scenarios where the user loses access to their account and a number of guardians greater than the threshold are compromised.

Scenario 1 -- replacing recovery requests is allowed: In this case, the set of malicious guardians could delay account recovery indefinitely. The rogue guardians could continue to submitt new recovery requests, replacing the previously stored one and its timestamp, delaying account recovery as long as they want. In turn, if a number of legitimate guardians over the threshold exist, the user could fight for the control of the account by submitting legitimate account recovery requests.

Scenario 2 -- replacing recovery requests is not allowed: In this case, an account recovery request would have to take effect (it cannot be cancelled due to the assumption that the user has lost other means of access to the account). Therefore, the first set of guardians to submit a recovery request would be able to gain control of the account.

Considering the difficulty in predicting the likelyhood of the events that enable both scenarios, there doesn't seem to be strong arguments that would lead to prefer one behavior over the other. In both scenarios, the set of rogue guardians would have to coordinate with the event that leads to the user losing access to their account. If they were to start acting maliciously before that, the user could cancel the account recovery request and remove the rogue guardians. If replacing account recovery requests is allowed, there is a possibility to submit malicious account recovery requests, counteracted by the possibility to re-submit legitimate ones (if enough honest guardians exist). If replacing requests is not allowed, the first request is processed without the possibility to interfere; the outcome for the account owner would then be decided by whether a legitimate or rogue set of guardians submits an account recovery request.

Zellic © 2024Back to top ↑