Ackee is finalizing its ERC-4337 detector to identify prohibited opcode usage and repository access, transforming a very labor-intensive manual review into an automated process that reduces the potential for human error.
Let Wake detect ERC-4337-related vulnerabilities in your code. Want to test your code for free with the Wake ERC-4337 detector? Submit this form!
wake up A Python-based framework for developing and testing Solidity smart contracts. It includes a static analysis engine that detects and reports issues in your Solidity code. Wake was developed and used by Ackee Blockchain Security to perform smart contract audits, helping to discover several with medium, high, and critical levels. weakness.
ERC-4337 Defines a set of restrictions for the user action validation steps that must be followed to protect the user action bundler from denial-of-service attacks. The limitations are detailed below: ERC-7562.
Limitations include:
- Forbidden opcodes and conditionally prohibited opcodes;
- Access to contract repositories other than the smart accounts with which they interact is restricted.
Ackee is finalizing an ERC-4337 detector that can detect the ERC-4337 ‘validateUserOp’ function, which serves as the entry point for the validation phase. All functions called thereafter are tested. Use of restricted opcodes is reported as a detection.
Detecting restricted storage access requires a more comprehensive approach. Storage access is only allowed to slot `A` and slot `keccak256(A || x) + offset`. Where `A` is the address of the smart account being interacted with, x is the `bytes32` value, `offset`. is a number up to 128 and ‘||’ indicates a concatenation. While access to slot `A` can only be achieved through assembly (Yul language), the second pattern (with `keccak256`) is common to access Solidity mappings using `A` as the key of the mapping.
Both problems involve evaluating whether certain values (Yul `sload` and `sstore` arguments, mapping keys) are equal to a smart account address. The smart account address is always stored as a member (‘sender’) of the first argument of ‘validateUserOp’. So if a given value depends on the ‘sender’ of another variable defined elsewhere in the code, the problem can be redefined as a check. Dependency paths can include function calls, reassignments to new variables, or type casts.
The Wake ERC-4337 detector uses data dependency graphs, a feature currently in development, to analyze data relationships between different parts of the code. Data dependency graphs are utilized in the ERC-4337 detector to achieve high precision of reported detections.
Thanks to the ERC-4337 detector, it is very easy to detect prohibited opcode usage and storage access. This is very labor intensive to check manually.
Test your code for free with the Wake ERC-4337 detector. Submit this form!
