Exactly WebAuthn Owner Plugin
Summary
In this audit, we reviewed an ERC-6900 plugin enabling authentication and authorization of critical function selectors for ERC-6900 accounts that would protect flows in the account such as contract upgrades and plugin (un)installations. It offers a variety of possibilities for authentication, including ECDSA signature validation, ERC-1271 contract validation and WebAuthn P256 signature support to e.g. enable Passkeys. The plugin is intended to be equivalent in functionality shared with the `MultiOwnerPlugin`. We deem the plugin to be fully compatible with ERC-6900 v0.7. The only diverging aspect to the `MultiOwnerPlugin` was the different requirement to the calldata for installations (EXA-8). Some concerns were uncovered in the `updatePublicKeys()` function (EXA-1), but overall we deem the code and test suite to be in a mature state. As co-authors of the ERC-6900 standard, we are excited about the functionality this plugin brings to the modular account ecosystem. **Update Fix-Review:** All issues have been addressed and either fixed, mitigated or acknowledged. The already good test suite was extended by an additional 15 tests.
Issues (8)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 6 | - | - | - | 6 |
Fixed | 1 | 1 | - | - | 2 |
| Total | 7 | 1 | 0 | 0 | 8 |