fix: [CL ALCHEMY-002] use correct validation function for running hooks in executeUserOp

[adamegyed]

Motivation

Addresses CL ALCHEMY-002.

When a deferred action is used, the validation-associated exec hooks, which run within executeUserOp, load the wrong set of hooks by reading from the first 24 bytes of userOp.signature, which refers to the validation of the deferred action, rather than the user op.

Solution

When using deferred actions, switch the encoding locations of the validation for the user op and the validation for the deferred action. This results in executeUserOp loading and running the correct set of hooks.

Note that while the locations are switched, the contents of the EIP-712 struct for deferred actions remains the same, so the "outer" user op validation remains what is signed over.

Also add a test to verify this behavior.

[Zer0dot]

Since it's not technically a ValidationConfig, would it make sense just to use a raw bytes25?

[Zer0dot]

@adamegyed is this what you were referring to previously-- in that we treat this like a ValidationConfig when in reality it should be a ModuleEntity + validationFlags (where 0b00000001 is isGlobal)?

But in reality the flags are different.

[adamegyed]

Yes, exactly.

[Zer0dot]

Wdyt if we made this a bytes25 instead too?

[adamegyed]

Update to bytes25 here and in ModuleSignatureUtils!

[octane-security-app]

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

• ModularAccountBase.sol: The modifications change the validation sequence, using outer validation for UO and inner validation for deferred actions, and streamline validation configs.
• AccountTestBase.sol: The smart contract now includes global validation using ValidationConfigLib for deferred actions, enhancing signature handling and validation processes.
• ModuleSignatureUtils.sol: The smart contract adds deferred action support and modifies validation handling, incorporating new utilities for packing validation data.

---

🔗 Commit Hash: 412583f

[github-actions]

Contract sizes:

 | Contract                      | Runtime Size (B) | Initcode Size (B) | Runtime Margin (B) | Initcode Margin (B) |
 |-------------------------------|------------------|-------------------|--------------------|---------------------|
 | AccountFactory                |            4,814 |             5,239 |             19,762 |              43,913 |
 | AllowlistModule               |            9,553 |             9,580 |             15,023 |              39,572 |
 | ExecutionInstallDelegate      |            5,714 |             5,760 |             18,862 |              43,392 |
-| ModularAccount                |           21,931 |            28,634 |              2,645 |              20,518 |
+| ModularAccount                |           21,975 |            28,678 |              2,601 |              20,474 |
 | NativeFunctionDelegate        |              434 |               461 |             24,142 |              48,691 |
 | NativeTokenLimitModule        |            4,449 |             4,476 |             20,127 |              44,676 |
 | PaymasterGuardModule          |            1,845 |             1,872 |             22,731 |              47,280 |
-| SemiModularAccountBytecode    |           23,233 |            29,936 |              1,343 |              19,216 |
-| SemiModularAccountStorageOnly |           23,727 |            30,430 |                849 |              18,722 |
+| SemiModularAccountBytecode    |           23,277 |            29,980 |              1,299 |              19,172 |
+| SemiModularAccountStorageOnly |           23,771 |            30,474 |                805 |              18,678 |
 | SingleSignerValidationModule  |            3,646 |             3,673 |             20,930 |              45,479 |
 | TimeRangeModule               |            2,000 |             2,027 |             22,576 |              47,125 |
 | WebAuthnValidationModule      |            7,854 |             7,881 |             16,722 |              41,271 |

Code coverage:

File	% Lines	% Statements	% Branches	% Funcs
src/account/AccountBase.sol	100.00% (8/8)	100.00% (7/7)	100.00% (2/2)	100.00% (4/4)
src/account/AccountStorageInitializable.sol	100.00% (19/19)	100.00% (26/26)	100.00% (5/5)	100.00% (2/2)
src/account/ModularAccount.sol	100.00% (2/2)	100.00% (2/2)	100.00% (0/0)	100.00% (2/2)
src/account/ModularAccountBase.sol	98.99% (294/297)	96.30% (364/378)	77.59% (45/58)	97.30% (36/37)
src/account/ModularAccountView.sol	100.00% (24/24)	100.00% (28/28)	100.00% (2/2)	100.00% (4/4)
src/account/ModuleManagerInternals.sol	95.08% (58/61)	96.20% (76/79)	62.50% (5/8)	100.00% (3/3)
src/account/SemiModularAccountBase.sol	88.71% (55/62)	92.13% (82/89)	66.67% (10/15)	100.00% (15/15)
src/account/SemiModularAccountBytecode.sol	100.00% (6/6)	100.00% (7/7)	100.00% (1/1)	100.00% (2/2)
src/account/SemiModularAccountStorageOnly.sol	80.00% (4/5)	83.33% (5/6)	100.00% (0/0)	50.00% (1/2)
src/account/TokenReceiver.sol	33.33% (1/3)	33.33% (1/3)	100.00% (0/0)	33.33% (1/3)
src/factory/AccountFactory.sol	70.59% (24/34)	76.09% (35/46)	40.00% (2/5)	58.33% (7/12)
src/helpers/ExecutionInstallDelegate.sol	92.59% (50/54)	92.96% (66/71)	40.00% (2/5)	100.00% (7/7)
src/helpers/NativeFunctionDelegate.sol	100.00% (16/16)	100.00% (30/30)	100.00% (0/0)	100.00% (1/1)
src/libraries/ExecutionLib.sol	99.64% (276/277)	98.89% (268/271)	90.91% (30/33)	100.00% (24/24)
src/libraries/KnownSelectorsLib.sol	100.00% (16/16)	100.00% (34/34)	100.00% (0/0)	100.00% (2/2)
src/libraries/LinkedListSetLib.sol	94.00% (47/50)	96.25% (77/80)	66.67% (4/6)	100.00% (8/8)
src/libraries/MemManagementLib.sol	100.00% (54/54)	100.00% (70/70)	100.00% (0/0)	100.00% (12/12)
src/libraries/ModuleInstallCommonsLib.sol	57.14% (8/14)	42.11% (8/19)	75.00% (3/4)	100.00% (3/3)
src/modules/ModuleBase.sol	100.00% (13/13)	94.12% (16/17)	100.00% (2/2)	100.00% (3/3)
src/modules/permissions/AllowlistModule.sol	86.05% (74/86)	85.71% (96/112)	78.26% (18/23)	50.00% (9/18)
src/modules/permissions/NativeTokenLimitModule.sol	90.91% (40/44)	93.22% (55/59)	100.00% (13/13)	66.67% (8/12)
src/modules/permissions/PaymasterGuardModule.sol	83.33% (10/12)	82.35% (14/17)	66.67% (2/3)	71.43% (5/7)
src/modules/permissions/TimeRangeModule.sol	83.33% (10/12)	80.00% (16/20)	100.00% (1/1)	75.00% (6/8)
src/modules/validation/SingleSignerValidationModule.sol	92.00% (23/25)	81.58% (31/38)	62.50% (5/8)	90.00% (9/10)
src/modules/validation/WebAuthnValidationModule.sol	61.11% (11/18)	66.67% (18/27)	100.00% (3/3)	60.00% (6/10)
Total	94.31% (1143/1212)	93.23% (1432/1536)	78.68% (155/197)	85.31% (180/211)

[octane-security-app]

Overview

Octane AI analysis has finished. No vulnerabilities were found. Cheers! 🎉🎉🎉

---

🔗 Commit Hash: 412583f