Zer0Dot

Name of the Vulnerable Software and Affected Versions: Modular Account de Alchemy versions prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 Description: The issue concerns a bug in the allowlist module of Modular Account de Alchemy, which is compatible with ERC-4337 and ERC-6900. This bug allows session keys to bypass access control restrictions, enabling them to access external contracts, including ERC20 and ERC721 token contracts. As a result, session keys can transfer all tokens from the account, configure permissions on external modules, remove restrictions, and rotate keys with higher privileges into keys they control. Recommendations: For versions prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, update to a version that includes the fix provided in commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 to resolve the issue. As a temporary workaround, consider restricting access to the `executeUserOp` path and its subsequent `execute` or `executeBatch` functions to prevent session keys from bypassing access control restrictions.