Vulnerability
Owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the executeUserOp -> execute or executeBatch path, effectively allowing any session key to bypass any access control restrictions set on the session key.
Impact
Session keys are able to:
- Access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out
- Configure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control
Vulnerability
Owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the
executeUserOp->executeorexecuteBatchpath, effectively allowing any session key to bypass any access control restrictions set on the session key.Impact
Session keys are able to: