Modular Account V2

@alchemyplatform

Live

Modular Account V2 contains a suite of modular smart contract accounts and modules. Modular Account V2 is maximally secure, modular, and has the cheapest creation costs amongst ERC4337-compatible smart contract accounts.

The accounts are upgradeable, can create session keys with scoped permissions on the account, and can use gas sponsorship provided by the ERC-4337 protocol. It can be used for most smart account use cases due to high flexibility from its modular design.

Modular Account V2 contains 4 smart account implementations:

  1. ModularAccount (ERC4337 compatible)
  2. SemiModularAccountBytecode(ERC4337 compatible)
  3. SemiModularAccountStorageOnly (ERC4337 compatible)
  4. SemiModularAccount7702 (EIP-7702 + ERC4337 compatible)

The repository also contains 2 signature verification modules and 4 permissioning modules.

Scope

In-Scope Targets

Smart Contracts in Scope

Following are in-scope contracts from the github repo: https://github.com/alchemyplatform/modular-account/tree/v2.0.x

NameAddress
AccountFactory0x00000000000017c61b5bEe81050EC8eFc9c6fecd
ModularAccount0x00000000000002377B26b1EdA7b0BC371C60DD4f
SemiModularAccount77020x69007702764179f14F51cdce752f4f775d74E139
SemiModularAccountBytecode0x000000000000c5A9089039570Dd36455b5C07383
SemiModularAccountStorageOnly0x0000000000006E2f9d80CaEc0Da6500f005EB25A
ExecutionInstallDelegate0x0000000000008e6a39E03C7156e46b238C9E2036
SingleSignerValidationModule0x00000000000099DE0BF6fA90dEB851E2A2df7d83
WebAuthnValidationModule0x0000000000001D9d34E07D9834274dF9ae575217
AllowlistModule0x0000000000002311EEE9A2B887af1F144dbb4F6e
NativeTokenLimitModule0x00000000000001e541f0D090868FBe24b59Fbe06
PaymasterGuardModule0x0000000000001aA7A7F7E29abe0be06c72FD42A1
TimeRangeModule0x00000000000082B8e2012be914dFA4f62A0573eA

Out-of-Scope

  • Smart contracts not in the v2.0.x release branch are considered out of scope.

Known Issues

Known issues from previous security reviews are considered out of scope.

Other known issues that are out of scope:

  • SemiModularAccount7702: when upgrading to a SMA7702 account from an existing account, or upgrading from an SMA7702 account to a new 7702 account, if the signature format is the same in the new account, the bundler is able omit the upgrade from the auth tuple to keep the gas paid for updating the auth tuple. This can be mitigated by starting from or ending with an account with a different signature format. This would be addressed in a subsequent release.
  • Deferred Actions: Bundlers or relayers can replace deferred actions with separate deferred actions. Deferred actions are meant to be used in a way such that removing it would cause a validation failure, e.g. approving ERC20 tokens to a ERC20 paymaster before the paymaster validation check, or installing a session key before validation of that session key, thus security impacts due to such usage are considered out of scope.

Specific Types of Issues

  • User error: Examples include: transferring tokens or account ownership to address(0), or financial losses due to granting permissions to a malicious entity, or using a non EIP-7702 account in the EIP-7702 context. Interactions with 3rd party malicious code. Examples include: installing a faulty or malicious module.
  • Bad behavior from owners. Examples include: an owner DoSing another owner of the same account.
  • Security impacts to accounts due to issues in the ERC-4337 EntryPoint would not be eligible for a modular account bug bounty.
  • Issues related to counterfactual addresses or cryptography attacks that are not economically viable. Examples include generating a hash collision to take over a user’s undeployed ERC-4337 account, or mining EOA addresses to collide with smart contract accounts.
  • Design choices related to protocol. Examples include: two step ownership transfers.
  • Rounding errors.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.

Prohibited Actions

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Live testing on public chains, including public mainnet deployments and public testnet deployments is prohibited.
    • We recommend testing on local forks, for example using foundry.
  • Privacy violations, destruction of data, and actions that cause interruption or degradation of our services are prohibited. Only interact with accounts you own or with explicit permission of the account holder.
  • Public disclosure of bugs without the written consent of the Alchemy team is prohibited.
  • No Conflicts of Interest. Any individual who is or has ever been employed by Alchemy (or their family), or who is or has ever been a contractor of Alchemy, may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question (or their family) may not participate in the Bug Bounty.

Eligibility

  • You must discover a previously-unreported, non-public vulnerability that is not previously known by the Alchemy team and is within the scope of this bug bounty program (the “Program”).
  • You must provide all KYC and other documents as requested.
  • You must be the first to disclose the unique vulnerability, in compliance with the disclosure requirements. A vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program is not eligible for a reward.
  • You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • You cannot exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • You cannot publicize or exploit a vulnerability in any way, other than through private reporting to us.
  • You must refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets or systems in scope.
  • You cannot engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • You must be at least 18 years old at the time of submission.
  • You cannot reside in a country under (or otherwise be subject to) any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control or other applicable sanctions laws, or where the laws of the United States or local law prohibits participation.
  • You cannot be one of our current or former employees (or their family member), or a vendor or contractor who has been involved in the development of the code of the bug in question.
  • You must comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.

Severity and Rewards

Risk Classification Matrix

  • Smart Contracts
Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumInformational
Likelihood: LowMediumMediumLowInformational

Rewards given are determined by the security impact, as well as the likelihood of the security impact. All submissions need to contain a clear, reproducible and working proof-of-concept to be eligible for a reward. Any submissions that do not require a redeployment would be capped at a low or medium severity.

Impact Assessment

The impact levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.

Critical:

  • Stealing funds or permanently freezing funds from accounts on a large scale (20+% TVL across all accounts, and/or stealing native tokens or common ERC20s)
  • Loss of control or access to accounts

High:

  • Stealing funds, or temporarily/permanently freezing funds from accounts at a medium scale (1-20% TVL across all accounts)
  • Loss of access to important features on accounts

Medium:

  • Stealing funds, or temporarily/permanently freezing funds from accounts at a smaller scale (such as gas related issues)
  • Loss of access to other features on accounts
  • Loss of funds, or temporarily/permanently freezing funds from the AccountFactory contract
  • Loss of control or access to the AccountFactory contract

Low:

  • The issue does not pose an immediate risk but is relevant to security best practices.

Likelihood Assessment

The likelihood levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.

  • High: Affects most accounts in production. Must affect accounts in the default configuration from the factory, or for very common use cases such as session keys, and/or requires little to no privileged access.

  • Medium: Affects a significant portion of accounts in production. It must also be likely under specific conditions or scenarios, or it being a reasonably common use case, or a likely configuration of the account, and/or requires little to no privileged access.

  • Low: Rare but conceivable. This may cover use cases that are not in production today, or attacks that require privileged access.

Reward Ranges

Severity LevelMaximum PayoutMinimum Payout
CriticalUp to $100,000 USD$50,000 USD
HighUp to $10,000 USD$5,000 USD
MediumUp to $2,000 USD$500 USD
LowDiscretionaryDiscretionary

Note: Actual reward amounts are determined at Alchemy’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting your report, you grant Alchemy any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Alchemy’s sole discretion. The terms and conditions of this Program may be altered, and this Program may be wound down, at any time.

Total reward

$100,000

Findings submitted

12

Start date

Feb 5, 2025


Please sign in as a researcher to join the bounty.

Log in