{"id":642,"date":"2024-05-15T14:00:03","date_gmt":"2024-05-15T12:00:03","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=642"},"modified":"2024-07-04T12:27:32","modified_gmt":"2024-07-04T10:27:32","slug":"wake-erc-4337-detector","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/wake-erc-4337-detector\/","title":{"rendered":"Wake ERC-4337 Detector"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Ackee is finalizing an ERC-4337 detector to identify the use of forbidden opcodes and storage access, turning a very labor-intensive manual review into an automated process that reduces the chance of human error.<\/span><\/p>\n<p>Let Wake detect ERC-4337 related vulnerabilities in your code. Want to get your code tested for free by our Wake ERC-4337 detector? <a href=\"https:\/\/ackee.deform.cc\/4337\" target=\"_blank\" rel=\"noopener\">Submit this deform!<\/a><\/p>\n<p>The detector already found an issue in the Rhinestone\u00a0<a class=\"c-link c-link--underline\" href=\"https:\/\/github.com\/rhinestonewtf\/modulekit\/blob\/947ad946e13850c9aa2b8fde600be871366d0a4d\/examples\/src\/MultiFactor\/MultiFactor.sol#L406\" target=\"_blank\" rel=\"noopener\" data-stringify-link=\"https:\/\/github.com\/rhinestonewtf\/modulekit\/tree\/main\/examples\" data-sk=\"tooltip_parent\">modulekit examples<\/a>\u00a0project. The discovered finding shows that even when accessing a mapping using the correct key, the mapping may contain nested dynamic data structures that may trigger reading from forbidden storage slots. This example clearly shows the need of an automated tool that can discover such issues otherwise leading to denial-of-service for a smart account.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-716\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2024\/05\/image.png\" alt=\"bytes memory validatorStorageData = $validator.data;\" width=\"2960\" height=\"1090\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image.png 2960w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-300x110.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-1024x377.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-768x283.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-1536x566.png 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-2048x754.png 2048w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-370x136.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/image-760x280.png 760w\" sizes=\"auto, (max-width: 2960px) 100vw, 2960px\" \/><\/p>\n<h2><span style=\"font-weight: 400;\">About Wake Framework<\/span><\/h2>\n<p><a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Wake<\/span><\/a><span style=\"font-weight: 400;\"> is a Python-based framework for development and testing of Solidity smart contracts. It includes a static analysis engine to explore and report issues in Solidity code. Wake is developed and used by the Ackee Blockchain Security to perform smart contract audits &#8211; and it helped to discover a number of medium, high and critical <\/span><a href=\"https:\/\/ackee.xyz\/wake\/docs\/latest\/#discovered-vulnerabilities\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">vulnerabilities<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">Develop, test, and write secure code using Wake inside VS Code via our extension: <\/span><a class=\"editor-rtfLink\" href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=AckeeBlockchain.tools-for-solidity\" target=\"_blank\" rel=\"noopener\"><span data-preserver-spaces=\"true\">Tools for Solidity<\/span><\/a><span data-preserver-spaces=\"true\">.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-652 size-full\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks.png\" alt=\"\" width=\"3200\" height=\"742\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks.png 3200w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-300x70.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-1024x237.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-768x178.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-1536x356.png 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-2048x475.png 2048w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-370x86.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-Stops-Hacks-760x176.png 760w\" sizes=\"auto, (max-width: 3200px) 100vw, 3200px\" \/><\/p>\n<h2><span style=\"font-weight: 400;\">ERC-4337 forbidden opcodes and storage access<\/span><\/h2>\n<p><a href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-4337#validation-rules-rationale\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">ERC-4337<\/span><\/a><span style=\"font-weight: 400;\"> defines a set of restrictions in the user operation validation phase that must be followed to protect user operation bundlers from denial of service attacks. The restrictions are fully described in <\/span><a href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-7562\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">ERC-7562<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The restrictions include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">forbidden opcodes and conditionally forbidden opcodes,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">restricted access to storage of other contracts than the smart account being interacted with.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Ackee is finalizing an ERC-4337 detector that can analyze ERC-4337 <code class=\"codehl\">validateUserOp<\/code> function that serves as an entry point for the validation phase. All subsequently called functions are tested. The use of restricted opcodes is reported in the form of detections.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Detecting restricted storage access requires a more comprehensive approach. Storage access is only allowed to the slot <code class=\"codehl\">A<\/code> and slots <code class=\"codehl\">keccak256(A || x) + offset<\/code>, where <code class=\"codehl\">A<\/code> is the address of the smart account being interacted with, <code class=\"codehl\">x<\/code> is any <code class=\"codehl\">bytes32<\/code> value, <code class=\"codehl\">offset<\/code> is a number up to 128 and <code class=\"codehl\">||<\/code> represents concatenation. The access to the slot <code class=\"codehl\">A<\/code> can only be achieved through assembly (the Yul language), while the second pattern (involving <code class=\"codehl\">keccak256<\/code>) is typical for accessing Solidity mappings with <code class=\"codehl\">A<\/code> as a key to the mapping.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Both problems involve the evaluation if a specific value (Yul <code class=\"codehl\">sload<\/code> and <code class=\"codehl\">sstore<\/code> argument, mapping key) is equal to the smart account address. The smart account address is always stored as a member (named <code class=\"codehl\">sender<\/code>) of the first argument of the <code class=\"codehl\">validateUserOp<\/code>. Thus, the problem may be re-defined as a verification if the given value depends on the <code class=\"codehl\">sender<\/code> of another variable defined elsewhere in the code. The dependent path may involve any number of function calls, re-assignments to new variables, or type casts.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Wake ERC-4337 detector uses a Data Dependency Graph, a feature under active development, to analyze data relations between different parts of the code. The Data Dependency Graph is utilized in the ERC-4337 detector to achieve high precision of the reported detections.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-644 size-full aligncenter\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector.jpeg\" alt=\"\" width=\"1600\" height=\"1376\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector.jpeg 1600w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-300x258.jpeg 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-1024x881.jpeg 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-768x660.jpeg 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-1536x1321.jpeg 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-370x318.jpeg 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/05\/Wake-ERC4337-Detector-760x654.jpeg 760w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Thanks to the ERC-4337 detector, it is very easy to detect the use of forbidden opcodes and storage accesses, which would be very labor-intensive to verify manually.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Get your code tested for free by our Wake ERC-4337 detector by <\/span><a href=\"https:\/\/ackee.deform.cc\/4337\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">submitting this deform!<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ackee is finalizing an ERC-4337 detector to identify the use of forbidden opcodes and storage access, turning a very labor-intensive manual review into an automated process that reduces the chance of human error. Let Wake detect ERC-4337 related vulnerabilities in your code. Want to get your code tested for free by our Wake ERC-4337 detector? Submit this deform! The detector already found&hellip;<\/p>\n","protected":false},"author":14,"featured_media":646,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,80,103],"tags":[107,108,101,104],"class_list":["post-642","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum","category-solidity","category-wake","tag-detector","tag-erc-4337","tag-safe","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/11\/Wake-Detector-ERC-4337-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/11\/Wake-Detector-ERC-4337-600x600.png","author_info":{"display_name":"Michal P\u0159evr\u00e1til","author_link":"https:\/\/ackee.xyz\/blog\/author\/michal-prevratil\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=642"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/642\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/646"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}