Alchemy Modular Account
Summary
In this audit, we reviewed Alchemy's ERC-6900-compliant Modular Smart Contract Account (MSCA) implementation. That ERC standard is an extension of the ERC-4337 Account Abstraction Infrastructure, further standardizing smart contract accounts and so-called account plugins, which are smart contract interfaces that allow for composable logic within smart contract accounts. It provides further granularity and additional composability for ERC-4337's user operation validation and execution. Similar modularity is also defined for open-ended execution via calls outside of the ERC-4337 context. The main concerns identified in this audit revolve around an incorrect assumption about execution hooks, leading to possibilities for session key holders to circumvent imposed token spending limits (MSCA-1) and an incorrect storage key derivation for session key data, causing all keys to share the same set of permissions in practice. Furthermore, some problematic side effects in cases where the MSCA is enabled to call itself were uncovered (MSCA-3 and MSCA-4). The MSCA itself is a fairly abstract implementation that in itself provides little functionality and security. This is intended, as the MSCA mainly gains functionality and access control through installed plugins. However, this leads to multiple possibilities of plugin misconfiguration and requires careful maintenance by owners (MSCA-5, MSCA-6, MSCA-7, MSCA-8, MSCA-9, MSCA-10, MSCA-12, MSCA-17, MSCA-19, MSCA-21). We also noticed that the pre-execution hook defined in the `SessionKeyPermissionsPlugin` is not idempotent (MSCA-8), as defined as a requirement for execution hooks in the specs. We argue that enforcing idempotency in execution hooks is also challenging and that enforcing non-overlapping execution hooks might be a better design. This report also includes a finding that has been reported to us by the Alchemy team (MSCA-22). Overall, we deem the code quality to be high. The test suite features 360 tests, but MSCA-1 and MSCA-2 show that the `SessionKeyPermissionsPlugin` would benefit from more sophisticated tests. **Fix Review Update** All issues have either been fixed, mitigated, or acknowledged. Acknowledged issues are an acceptable risk to the client and some will be addressed in future versions of the ERC. Significant changes have been made to address highlighted issues in the design, such as merging `SessionKeyPlugin` and `SessionKeyPermissionsPlugin`, redesigning hook behavior, and removal of injected and permitted call hooks. Alchemy has followed good software development practices when introducing fixes, such as code peer review and thorough documentation of changes in the design. The test suite has been suitably updated and adjusted for the introduced changes, which now stands at 417 tests.
Issues (33)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 9 | 3 | - | - | 12 |
Fixed | 16 | 3 | 2 | - | 21 |
| Total | 25 | 6 | 2 | 0 | 33 |