Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Barz v2 #2

Draft
wants to merge 14 commits into
base: develop
Choose a base branch
from
Draft

Barz v2 #2

wants to merge 14 commits into from

Conversation

PowerStream3604
Copy link
Collaborator

Barz V2 Upgrade

1. Add Multi-tier Module System

  • Add Facet Guard for permission access control between Facets & Modules
  • Support ERC 7579 (Executor, Validator, Hook, FallbackHandler, Policy and Signer through Permission)
  • Support ERC 6900 v0.8 - Work in Progress

Concept and Distinction between Facets and Modules

image

Architecture of Facets in Multi-tier Module System

  1. MMSAFacet makes Barz to be ERC 7579 Compliant
  2. MSCAFacet makes Barz to be ERC 6900 Compliant
image

2. Add V2 Migrator Facet

  • Facilitate Secure Migration to V2

3. Update Compiler Version to 0.8.26

  • Compiler Update

@PowerStream3604 PowerStream3604 marked this pull request as draft August 29, 2024 13:19
zeroknots
zeroknots reviewed Sep 3, 2024
View reviewed changes
contracts/facets/mmsa/MMSAFacet.sol
function execute(
ExecMode _mode,
bytes calldata _executionCalldata
) external payable override onlyEntryPointOrSelf onlyWhenUnlocked withHook {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

allowing self-call in execute functions should be considered carefully.

there is an attack scenario here, where a user is tricked to permit a session key access to address(this).execute(), not knowing what this permission really entails.

the session key can then build a userop. that has userop.calldata with two nested executions, the first one passing the sessionkey permission, the 2nd one would be arbitrary executions. this can lead to loss of funds

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zeroknots Actually, the execute function of the 7579 part, the MMSAFacet's execute() cannot make a self call.
Self calls can only be made when the user uses the default VerificationFacet for UserOp Validation and use executeSingle() / executeBatch() from AccountFacetV2 for execution.

But it's a good callout, something worth deep consideration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroknots zeroknots zeroknots left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PowerStream3604 @zeroknots