How many times have you come across a fallback() function bug? Here is one!

The protocol implements fallback handlers, when installed they can be triggered by anyone by using the `fallback` function:

    fallback() external payable override(Receiver) receiverFallback {
        FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];
        address handler = $fallbackHandler.handler;
        CallType calltype = $fallbackHandler.calltype;
        require(handler != address(0), MissingFallbackHandler(msg.sig));

        if (calltype == CALLTYPE_STATIC) {
            assembly {
                calldatacopy(0, 0, calldatasize())

                // The msg.sender address is shifted to the left by 12 bytes to remove the padding
                // Then the address without padding is stored right after the calldata
                mstore(calldatasize(), shl(96, caller()))

                if iszero(staticcall(gas(), handler, 0, add(calldatasize(), 20), 0, 0)) {
                    returndatacopy(0, 0, returndatasize())
                    revert(0, returndatasize())
                }
                returndatacopy(0, 0, returndatasize())
                return(0, returndatasize())
            }
        }
        if (calltype == CALLTYPE_SINGLE) {
            assembly {
                calldatacopy(0, 0, calldatasize())

                // The msg.sender address is shifted to the left by 12 bytes to remove the padding
                // Then the address without padding is stored right after the calldata
                mstore(calldatasize(), shl(96, caller()))

                if iszero(call(gas(), handler, 0, 0, add(calldatasize(), 20), 0, 0)) {
                    returndatacopy(0, 0, returndatasize())
                    revert(0, returndatasize())
                }
                returndatacopy(0, 0, returndatasize())
                return(0, returndatasize())
            }
        }
    }

Depending on the fallback handler his can result in unauthorized transactions, data manipulation, or other unintended behaviours, potentially compromising the security and integrity of the smart account.

1. An attacker sends a transaction to the `ModuleManager` contract with arbitrary data.
2. The fallback function is triggered due to the unrecognized function selector.
3. The fallback function routes the call to the corresponding fallback handler without verifying the sender's authorization.
4. The fallback handler executes the call, potentially leading to unauthorized actions.

The protocol should implement proper authorization control in the fallback function to ensure that only authorized entities can invoke it.

Read the full report here:

Link: https://codehawks.cyfrin.io/c/2024-07-biconomy/s/42