Alchemy - Modular Account V2
Summary
Quantstamp audited the v2 version of the `modular-account` repository by Alchemy, as well as small parts of the `reference-implementation` repository of ERC-6900 standard. `modular-account` is designed to provide a flexible, modular system for Ethereum accounts in compliance with ERC-6900 v0.8, enabling users to add, update, and manage various functionalities through modular extensions. The core purpose of this framework is to offer smart contract accounts that can be dynamically customized with specific modules for permissions, validation, and account management, allowing for adaptable, secure account configurations tailored to diverse use cases. Modules operate independently, ensuring modularity, and are supported by foundational libraries that manage function installation, validation logic, and execution handling. This audit also includes critical supporting files from the reference-implementation repository that define constants and libraries used in the former repository (see section "Scope" for a file list of the contracts in the scope of the audit). Overall the code is well-written and the Alchemy team was responsive and helpful in answering all questions and the test suite for `modular-account` is robust. Throughout the audit, two high-severity issues were found, one about a lack of validation hooks running on deferred actions (ALC-1) and the other highlighting a potential breach of the `NativeTokenLimitModule` when empty paymaster data is submitted (ALC-2). The rest of the issues are relatively minor and easily addressed. **Fix-Review Update:** The issues were either fixed properly or acknowledged with reasonable grounds and a major change was introduced to the nonce system.
Issues (23)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 14 | - | - | - | 14 |
Fixed | 7 | - | 2 | - | 9 |
| Total | 21 | 0 | 2 | 0 | 23 |