Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [QS-01] revert on presence of validation hooks in deferred validation, and run validation-associated execution hooks #287

Open
wants to merge 4 commits into
base: adam/fix-execute-user-op-with-def-action
Choose a base branch
from
Open

fix: [QS-01] revert on presence of validation hooks in deferred validation, and run validation-associated execution hooks #287

wants to merge 4 commits into from
+284 −49

Conversation

Zer0dot
Copy link
Contributor

@Zer0dot Zer0dot commented Nov 11, 2024

Motivation

Currently, it's possible to skip userOp validation hooks if the validation function being used is also a signature validation through deferred installation. Furthermore, we're not running userOp validation-associated execution hooks, when we could be.

Solution

Revert if the validation being used includes validation hooks, and run the validation-associated pre and post hooks tied to that validation.

@octane-security-app-dev Octane Security App Dev
Copy link

octane-security-app-dev bot commented Nov 11, 2024
edited
Loading

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

  • ModularAccountBase.sol: The update introduces error checks for validation hooks, adds execution hooks for validation, and refactors deferred validation typing.
  • MockCountModule.sol: Updated error message in the postExecutionHook function to specify "mockCountModule" instead of "mock direct call."

🔗 Commit Hash: 85a7a12

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 11, 2024
edited
Loading

Contract sizes:

 | Contract                      | Runtime Size (B) | Initcode Size (B) | Runtime Margin (B) | Initcode Margin (B) |
 |-------------------------------|------------------|-------------------|--------------------|---------------------|
 | AccountFactory                |            4,814 |             5,239 |             19,762 |              43,913 |
 | AllowlistModule               |            9,903 |             9,930 |             14,673 |              39,222 |
 | ExecutionInstallDelegate      |            5,714 |             5,760 |             18,862 |              43,392 |
-| ModularAccount                |           21,973 |            28,676 |              2,603 |              20,476 |
+| ModularAccount                |           22,270 |            28,973 |              2,306 |              20,179 |
 | NativeFunctionDelegate        |              434 |               461 |             24,142 |              48,691 |
 | NativeTokenLimitModule        |            4,449 |             4,476 |             20,127 |              44,676 |
 | PaymasterGuardModule          |            1,845 |             1,872 |             22,731 |              47,280 |
-| SemiModularAccountBytecode    |           23,275 |            29,978 |              1,301 |              19,174 |
-| SemiModularAccountStorageOnly |           23,769 |            30,472 |                807 |              18,680 |
+| SemiModularAccountBytecode    |           23,572 |            30,275 |              1,004 |              18,877 |
+| SemiModularAccountStorageOnly |           24,061 |            30,764 |                515 |              18,388 |
 | SingleSignerValidationModule  |            3,646 |             3,673 |             20,930 |              45,479 |
 | TimeRangeModule               |            2,000 |             2,027 |             22,576 |              47,125 |
 | WebAuthnValidationModule      |            7,854 |             7,881 |             16,722 |              41,271 |

Code coverage:

File % Lines % Statements % Branches % Funcs
src/account/AccountBase.sol 100.00% (8/8) 100.00% (7/7) 100.00% (2/2) 100.00% (4/4)
src/account/AccountStorageInitializable.sol 100.00% (19/19) 100.00% (26/26) 100.00% (5/5) 100.00% (2/2)
src/account/ModularAccount.sol 100.00% (2/2) 100.00% (2/2) 100.00% (0/0) 100.00% (2/2)
src/account/ModularAccountBase.sol 99.03% (305/308) 96.40% (375/389) 78.33% (47/60) 97.37% (37/38)
src/account/ModularAccountView.sol 100.00% (24/24) 100.00% (28/28) 100.00% (2/2) 100.00% (4/4)
src/account/ModuleManagerInternals.sol 95.08% (58/61) 96.20% (76/79) 62.50% (5/8) 100.00% (3/3)
src/account/SemiModularAccountBase.sol 88.71% (55/62) 92.13% (82/89) 66.67% (10/15) 100.00% (15/15)
src/account/SemiModularAccountBytecode.sol 100.00% (6/6) 100.00% (7/7) 100.00% (1/1) 100.00% (2/2)
src/account/SemiModularAccountStorageOnly.sol 80.00% (4/5) 83.33% (5/6) 100.00% (0/0) 50.00% (1/2)
src/account/TokenReceiver.sol 33.33% (1/3) 33.33% (1/3) 100.00% (0/0) 33.33% (1/3)
src/factory/AccountFactory.sol 70.59% (24/34) 76.09% (35/46) 40.00% (2/5) 58.33% (7/12)
src/helpers/ExecutionInstallDelegate.sol 92.59% (50/54) 92.96% (66/71) 40.00% (2/5) 100.00% (7/7)
src/helpers/NativeFunctionDelegate.sol 100.00% (16/16) 100.00% (30/30) 100.00% (0/0) 100.00% (1/1)
src/libraries/ExecutionLib.sol 98.92% (274/277) 98.15% (266/271) 84.85% (28/33) 100.00% (24/24)
src/libraries/KnownSelectorsLib.sol 100.00% (16/16) 100.00% (34/34) 100.00% (0/0) 100.00% (2/2)
src/libraries/LinkedListSetLib.sol 94.00% (47/50) 96.25% (77/80) 66.67% (4/6) 100.00% (8/8)
src/libraries/MemManagementLib.sol 100.00% (54/54) 100.00% (70/70) 100.00% (0/0) 100.00% (12/12)
src/libraries/ModuleInstallCommonsLib.sol 57.14% (8/14) 42.11% (8/19) 75.00% (3/4) 100.00% (3/3)
src/modules/ModuleBase.sol 100.00% (13/13) 94.12% (16/17) 100.00% (2/2) 100.00% (3/3)
src/modules/permissions/AllowlistModule.sol 86.05% (74/86) 85.71% (96/112) 78.26% (18/23) 50.00% (9/18)
src/modules/permissions/NativeTokenLimitModule.sol 90.91% (40/44) 93.22% (55/59) 100.00% (13/13) 66.67% (8/12)
src/modules/permissions/PaymasterGuardModule.sol 83.33% (10/12) 82.35% (14/17) 66.67% (2/3) 71.43% (5/7)
src/modules/permissions/TimeRangeModule.sol 83.33% (10/12) 80.00% (16/20) 100.00% (1/1) 75.00% (6/8)
src/modules/validation/SingleSignerValidationModule.sol 92.00% (23/25) 81.58% (31/38) 62.50% (5/8) 90.00% (9/10)
src/modules/validation/WebAuthnValidationModule.sol 61.11% (11/18) 66.67% (18/27) 100.00% (3/3) 60.00% (6/10)
Total 94.19% (1152/1223) 93.15% (1441/1547) 77.89% (155/199) 85.38% (181/212)

@octane-security-app-dev Octane Security App Dev
Copy link

octane-security-app-dev bot commented Nov 11, 2024
edited
Loading

Overview

Vulnerabilities found: 2                                                                                

Detailed findings

src/account/ModularAccountBase.sol

🔗 Commit Hash: 85a7a12
🛡️ Octane Dashboard: All vulnerabilities

fangting-alchemy
fangting-alchemy reviewed Nov 11, 2024
View reviewed changes
src/account/ModularAccountBase.sol Outdated
@@ -413,12 +414,18 @@ abstract contract ModularAccountBase is
/// [(33 + deferredActionSigLength + encodedDataLength):] : bytes, userOpSignature. This is the
/// signature passed to the inner validation.
if (hasDeferredAction) {
// Because this bypasses UO validation hooks, we require that the validation used does not include any
// validation hooks.
if (!getAccountStorage().validationStorage[validationFunction].validationHooks.isEmpty()) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should document this during validation installation.

If you want to use a validation to approve deferred actions in the future, it should not have validation hooks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where do you think this fits? As a comment in installValidation()? Or perhaps in the documentation for integrators/SDK?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the documentation notion doc for now to later transfer to the doc site is enough probably.

@Zer0dot Zer0dot changed the base branch from develop to adam/fix-execute-user-op-with-def-action November 12, 2024 22:08
@adamegyed adamegyed force-pushed the adam/fix-execute-user-op-with-def-action branch 2 times, most recently from 67305ea to 3973328 Compare November 13, 2024 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fangting-alchemy fangting-alchemy fangting-alchemy left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Zer0dot @fangting-alchemy @adamegyed