Alchemy - LightAccount v2
Summary
In this audit, we reviewed the second version of the `LightAccount` developed by the Alchemy team. The main changes that this version introduced included updating implementation to comply with the ERC-4337 v0.7 and the new rules in ERC-7562, the introduction of a `LightAccount` with multiple owners called `MultiOwnerLightAccount`, and other smaller improvements. Overall, the code is well-written and follows very good software development practices. We have found minor issues ranging from assembly not clearing upper bits to signature verification not fully following the ERC-4337 specification. These few small issues should all have straightforward fixes and should be addressed before deployment. Some issues from the [original audit](https://certificate.quantstamp.com/full/alchemy-light-account/2c66aef4-ad21-42ad-b159-afcafc6fa803/index.html) of version 1 also apply but have not been included in this report, namely ALC-1 and ALC-2, which outline more general concerns around multiple user operations getting rejected. ALC-3 also applies, as adding expiry to the EOA signature is a good practice. ALC-4 should also followed, so that the one-step ownership transfer is documented for `v2` and also for the newly created `MultiOwnerLightAccount`. The test suite consists of 118 tests, of which all pass successfully. The branch coverage stands a decent 86.52%, which could still be slightly improved. **Fix Review** All issues have been either fixed or mitigated by the Alchemy team in the commit `0a9480081131c58843a759301b967b9eac99816e `. The test suite has been adequately updated to accommodate the changes.
Issues (4)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 1 | - | - | - | 1 |
Fixed | 3 | - | - | - | 3 |
| Total | 4 | 0 | 0 | 0 | 4 |