CVE-2025-46834
Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
Reserved 2025-04-30 | Published 2025-05-15 | Updated 2025-05-19 | Assigner GitHub_MCWE-863: Incorrect Authorization
github.com/...ccount/security/advisories/GHSA-jhp7-7cq9-m4pv
github.com/...ommit/5e6f540d249afcaeaf76ab95517d0359fde883b0
Support options
