Coinbase Smart Wallet Mitigation Review

Smart Wallet from Coinbase Wallet.

  • Start date5 Apr 2024
  • End date10 Apr 2024
  • Total awards$12,500 in USDC
  • Duration5 days

Coinbase Smart Wallet Mitigation Review details

Important note

Each warden must submit a mitigation review for every individual PR listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.

Findings being mitigated

Mitigations of all issues listed here will be considered in-scope.


Mitigations of High & Medium Severity Issues

  • H-01 Fix: The issue is remediated by updating the parameterization of removeOwnerAtIndex to also take an owner argument. We then check that the owner passed matches the owner found at the index. In this way, we prevent a replayable transaction removing a different owner at the same index.
  • M-01 Fix: This issue is complex to address. The warden suggested adding a variable to track in flight withdraws, and we pursued this. However, we realized that bundlers penalize paymasters when the UserOp behaves differently when simulated in isolation vs. in the bundle, and this would not fix this. Instead, we give the owner a tool to address this probabilistically: the owner can set a maxWithdrawDenominator and we enforce that native asset withdraws must be <= address(this).balance / maxWithdrawDenominator. For example, if maxWithdrawDenominator is set to 20, it would take 20 native asset withdraws (each withdrawing max allowed) + 1 native asset withdraw in the same transaction to cause a revert. It is of course known that this doesn't entirely solve the issue, and the efficacy depends the value chosen and usage.
  • QA-01 Fix: We decided to take action here, changing removeOwnerAtIndex to revert if the owner is the last owner and adding removeLastOwner.

Additional Scope to be reviewed

These are additional changes that will be in scope.

URLMitigation ofOriginal Issue
Gas Fixes 1ADD-01195 and 137
Gas Fixes 2ADD-02195 and 38

Out of Scope

We are not taking action on Issue 39.