Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook
Vulnerability Description
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Modular Account 安全漏洞
Vulnerability Description
Modular Account是Alchemy开源的一个应用程序。 Modular Account存在安全漏洞,该漏洞源于allowlist模块未检查executeUserOp路径,可能导致绕过访问控制限制。
CVSS Information
N/A
Vulnerability Type
N/A