Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Biconomy PasskeyRegistry and SessionKeyManager>Discussion>Vulnerable MerkleProof library version
GeneralOverview
Findings
Critical (1)
High (3)
Medium (1)
DiscussionVulnerable MerkleProof library versionThe `validateSessionUserOp` uses offsets
Threat ModelWhat are threat models?ERC20SessionValidationModule.solPasskeyRegistryModule.solSessionKeyManagerModule.sol
Audit ResultsSummary

Vulnerable MerkleProof library version

During the security audit, it has been identified that the SessionKeyManager is utilizing an outdated version of the MerkleProof library from OpenZeppelin. The specific version in use, ranging from V4.7 to V4.9, is vulnerable to the CVE-2023-34459 exploit, which may allow malicious actors to prove arbitrary leaves for specific trees when utilizing multiproofs. Although the SessionKeyManager is not directly utilizing the vulnerable functions of the MerkleProof, it is strongly recommended to upgrade to the latest version of the library as a best practice for maintaining the security and integrity of the project. By using the latest version of the library, the project ensures its protection against potential future exploits and vulnerabilities that may arise due to using outdated code.

Zellic © 2024Back to top ↑