search
Active Boosts

51129 sc low boringvault proxies do not support smart contract wallets

Submitted on Jul 31st 2025 at 12:18:30 UTC by @holydevoti0n for Attackathon | Plume Networkarrow-up-right

  • Report ID: #51129

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Vulnerability Details

The TellerWithMultiAssetSupportPredicateProxy uses the PredicateClient to verify signatures.

    function deposit(
        ERC20 depositAsset,
        uint256 depositAmount,
        uint256 minimumMint,
        address recipient,
        CrossChainTellerBase teller,
        PredicateMessage calldata predicateMessage
    )
        external
        nonReentrant
        returns (uint256 shares)
    {
        if (paused()) {
            revert TellerWithMultiAssetSupportPredicateProxy__Paused();
        }

        bytes memory encodedSigAndArgs = abi.encodeWithSignature("deposit()");
        // @audit-issue the signature method is incompatible with smart wallets that use eip-1271.
@>        if (!_authorizeTransaction(predicateMessage, encodedSigAndArgs, msg.sender, 0)) {
            revert TellerWithMultiAssetSupportPredicateProxy__PredicateUnauthorizedTransaction();
        }
...

The problem is _authorizeTransaction does not support smart contract wallets:

https://github.com/predicatelabs/predicate-contracts/blob/32d16b289752951c6dfe51b7efd2ec1c17b63e5c/src/ServiceManager.sol#L335

This will lead the transaction to revert because, with EIP-7702, it is now possible for addresses to have code.length > 0 but still use their private keys to sign;

hashtag
Impact Details

circle-exclamation

Smart contract wallets cannot interact with the TellerWithMultiAssetSupportPredicateProxy as ECDSA.recover from _authorizeTransaction will cause the transaction to revert.

hashtag
Recommendation

circle-info

The use of SignatureChecker would resolve this issue, as it supports EOA and ERC‑1271 signatures. For example: SignatureChecker.isValidERC1271SignatureNow

OpenZeppelin docs: https://docs.openzeppelin.com/contracts/5.x/api/utils/cryptography#SignatureChecker

hashtag
References

chevron-rightRelevant linkshashtag

  • EIP7702 - https://eip7702.io/

  • OZ recover function: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol#L115-L119

  • Predicate ServiceManager (validateSignatures): https://github.com/predicatelabs/predicate-contracts/blob/32d16b289752951c6dfe51b7efd2ec1c17b63e5c/src/ServiceManager.sol#L335

hashtag
Proof of Concept

1

hashtag
Smart contract wallet attempts deposit

User is a Smart Contract Wallet that wants to deposit funds through TellerWithMultiAssetSupportPredicateProxy.

2

hashtag
User signs transaction using smart contract wallet address

User signs the transaction with their private key, but uses the smart contract wallet address and calls the deposit function.

3

hashtag
Predicate constructs hash including smart contract wallet address

The hash built in PredicateClient.ServiceManager.validateSignatures utilises the smart contract wallet address to compare the hash against the signature:

https://github.com/predicatelabs/predicate-contracts/blob/32d16b289752951c6dfe51b7efd2ec1c17b63e5c/src/ServiceManager.sol#L335

4

hashtag
Transaction reverts

ECDSA.recover fails to validate and the transaction reverts. The user cannot deposit into the vault using TellerWithMultiAssetSupportPredicateProxy.

Previous50507 sc high non atomic yield distribution may lead to theft of yieldNext51860 sc high missing access control in stakeonbehalf lets anyone bloat another user s validator list leading to permanent fund lock via gas exhaustion dos

Was this helpful?