Check UserOperation Sender

[ylv-io]

Description

Type of change

• Bug fix
• New feature
• Breaking change
• Dependency changes
• Deployment
• Forge Script
• Code refactor / cleanup
• Documentation or wording changes
• Other

Checklist:

• The diff is legible and has no extraneous changes
• Complex code has been commented, including external interfaces
• Tests have 100% code coverage
• The base branch is either main, or there's a description of how to merge

Issue Resolution

[openzeppelin-code]

Check UserOperation Sender

Generated at commit: 8f934a3c3a45ee1316877d87659add13d91d2da7

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	4 2 0 11 39 56
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[github-actions]

Slither report

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results.
Summary

• encode-packed-collision (1 results) (High)
• unchecked-transfer (1 results) (High)

encode-packed-collision

Impact: High
Confidence: High

• ID-0
  KintoInflator.compress(PackedUserOperation) calls abi.encodePacked() with multiple dynamic arguments:
  • buffer = abi.encodePacked(buffer,op.paymasterAndData)

kinto-core/src/inflators/KintoInflator.sol

Lines 145 to 187 in 51e9154

	function compress(PackedUserOperation calldata op) external view returns (bytes memory compressed) {
	// decode `callData` (selector, target, value, bytesOp)
	bytes4 selector = bytes4(_slice(op.callData, 0, 4));
	bytes memory callData = _slice(op.callData, 4, op.callData.length - 4);
	// set flags based on conditions
	uint8 flags = _flags(selector, op, callData);
	bytes memory buffer = abi.encodePacked(flags);
	// encode `sender`, `nonce` and `initCode`
	buffer = abi.encodePacked(buffer, op.sender, uint32(op.nonce), uint32(op.initCode.length), op.initCode);
	console2.logBytes(buffer);
	// encode `callData` depending on the selector
	if (selector == IKintoWallet.execute.selector) {
	// if selector is `execute`, encode the callData as a single operation
	(address target, uint256 value, bytes memory bytesOp) = abi.decode(callData, (address, uint256, bytes));
	buffer = _encodeExecuteCalldata(op, target, value, bytesOp, buffer);
	} else {
	// if selector is `executeBatch`, encode the callData as a batch of operations
	(address[] memory targets, uint256[] memory values, bytes[] memory bytesOps) =
	abi.decode(callData, (address[], uint256[], bytes[]));
	buffer = _encodeExecuteBatchCalldata(targets, values, bytesOps, buffer);
	}
	// encode gas params
	buffer = abi.encodePacked(buffer, op.accountGasLimits, op.gasFees, uint32(op.preVerificationGas));
	console2.logBytes(buffer);
	// if there is a paymaster, then encode it's gas settings
	if (flags & 0x02 == 0x02) {
	buffer = abi.encodePacked(buffer, op.paymasterAndData[20:52]);
	}
	console2.log("op.signature.length:", op.signature.length);
	console2.logBytes(op.signature);
	// encode `signature` content
	buffer = abi.encodePacked(buffer, uint32(op.signature.length), op.signature);
	console2.logBytes(buffer);
	return LibZip.flzCompress(buffer);
	}

unchecked-transfer

Impact: High
Confidence: Medium

• ID-1
  AaveWithdrawWorkflow.withdraw(address,uint256) ignores return value by IERC20(asset).transfer(safe,fee)

kinto-core/src/access/workflows/AaveWithdrawWorkflow.sol

Lines 50 to 64 in 51e9154

	function withdraw(address asset, uint256 amount) public returns (uint256) {
	address pool = poolAddressProvider.getPool();
	// If amount is max uint256, withdraw all available
	if (amount == type(uint256).max) {
	amount = IERC20(IAavePool(pool).getReserveData(asset).aTokenAddress).balanceOf(address(this));
	}
	// Withdraw from Aave
	IAavePool(pool).withdraw(asset, amount, address(this));
	// Send the fee to the Safe
	uint256 fee = amount * FEE / 1e18;
	IERC20(asset).transfer(safe, fee);
	return amount - fee;
	}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.18%. Comparing base (3af76f4) to head (8f934a3).

Additional details and impacted files

@@              Coverage Diff               @@
##           feat/aa-v7     #335      +/-   ##
==============================================
+ Coverage       88.70%   89.18%   +0.47%     
==============================================
  Files              41       41              
  Lines            2533     2525       -8     
==============================================
+ Hits             2247     2252       +5     
+ Misses            286      273      -13     

Files with missing lines	Coverage Δ
src/apps/KintoAppRegistry.sol	94.76% <100.00%> (+5.77%)	⬆️

[rrecuero]

why are we removing this logic?

[rrecuero]

is this function not called anymore by geth?