Description

One of the parameters in a session key used by the ERC20SessionValidationModule smart contract is the maxAmount parameter. This parameter determines the maximum amount of tokens the caller can transfer out of the smart account to a recipient (who is also authorized by the session key).

Within the validateSessionUserOp() function, the ERC20 Session Validation Module verifies that the user operation is not attempting to transfer more than session key's maxAmount. It will fail validation if it does.

However, the issue is that this validation is not stateful. The session key does not track the amount of tokens that have already been transferred using the session key.

Impact

This allows a malicious session key holder to continuously transfer out maxAmount of tokens over multiple user operations.

For example, if the maxAmount for a session key is 100 tokens, the expectation is that the session key becomes invalid or unusable after 100 tokens have been transferred using it.

However, in the current codebase, the user can keep using the session key across multiple user operations to transfer out maxAmount of tokens as many times as they would want. They only need to ensure that the session key has not expired.

Since this leads to loss of funds of the smart account, the severity is Critical. However, because session keys are intended to be issued to trusted parties, we have decided that the likelihood of this occurring is Low. Therefore, we conclude that the final impact of this vulnerability is Medium.

Recommendations

Consider adding an additional parameter to the session key that tracks how many tokens have already been transferred. This can then be validated in validateSessionUserOp() as well.

Remediation

This issue has been acknowledged by Biconomy Labs, and a fix was implemented in commit 1a11bd4f↗.