According to official news, the Fireblocks research team recently discovered an ERC-4337 account abstraction vulnerability in the smart contract wallet UniPass. The vulnerability allows an attacker to perform a full account takeover of the UniPass wallet by replacing the wallet's trusted entry point to activate the account abstraction module.
Once the account takeover is complete, the attacker can treat the wallet as their own and drain all funds within it. Hundreds of users with ERC-4337 modules activated in their wallets are vulnerable to this attack, which can be performed by anyone on the blockchain.
The vulnerability consists of 3 different issues that cannot be exploited individually, but can be exploited together to gain owner-level access to the wallet, as follows:
1. The first problem is that the validateSignature function returns "success=true" for an empty signature;
2. The second question is related to calculating how much role weight is required to call the privileged function of the contract itself;
3. The third problem is not actually a problem with the smart contract code, but a problem during module installation. When the ERC-4337 module is enabled using the wallet's interface, addHook will be called 4 times on the chain to add its functionality.
Within 24 hours of confirming receipt of the initial disclosure, the UniPass team immediately performed a successful white-hat operation to fix all vulnerable wallets and add the missing "addPermission" call to enable the ERC-4337 module in the future.