AA V7

[ylv-io]

Description

Type of change

• Bug fix
• New feature
• Breaking change
• Dependency changes
• Deployment
• Forge Script
• Code refactor / cleanup
• Documentation or wording changes
• Other

Checklist:

• The diff is legible and has no extraneous changes
• Complex code has been commented, including external interfaces
• Tests have 100% code coverage
• The base branch is either main, or there's a description of how to merge

Issue Resolution

[openzeppelin-code]

AA V7

Generated at commit: 35b3f095670c885e224242b3bc975f1178041200

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	4 2 0 11 39 56
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[github-actions]

Slither report

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results.
Summary

• encode-packed-collision (1 results) (High)
• unchecked-transfer (1 results) (High)

encode-packed-collision

Impact: High
Confidence: High

• ID-0
  KintoInflator.compress(PackedUserOperation) calls abi.encodePacked() with multiple dynamic arguments:
  • buffer = abi.encodePacked(buffer,op.paymasterAndData)

kinto-core/src/inflators/KintoInflator.sol

Lines 145 to 187 in 02f8266

	function compress(PackedUserOperation calldata op) external view returns (bytes memory compressed) {
	// decode `callData` (selector, target, value, bytesOp)
	bytes4 selector = bytes4(_slice(op.callData, 0, 4));
	bytes memory callData = _slice(op.callData, 4, op.callData.length - 4);
	// set flags based on conditions
	uint8 flags = _flags(selector, op, callData);
	bytes memory buffer = abi.encodePacked(flags);
	// encode `sender`, `nonce` and `initCode`
	buffer = abi.encodePacked(buffer, op.sender, uint32(op.nonce), uint32(op.initCode.length), op.initCode);
	console2.logBytes(buffer);
	// encode `callData` depending on the selector
	if (selector == IKintoWallet.execute.selector) {
	// if selector is `execute`, encode the callData as a single operation
	(address target, uint256 value, bytes memory bytesOp) = abi.decode(callData, (address, uint256, bytes));
	buffer = _encodeExecuteCalldata(op, target, value, bytesOp, buffer);
	} else {
	// if selector is `executeBatch`, encode the callData as a batch of operations
	(address[] memory targets, uint256[] memory values, bytes[] memory bytesOps) =
	abi.decode(callData, (address[], uint256[], bytes[]));
	buffer = _encodeExecuteBatchCalldata(targets, values, bytesOps, buffer);
	}
	// encode gas params
	buffer = abi.encodePacked(buffer, op.accountGasLimits, op.gasFees, uint32(op.preVerificationGas));
	console2.logBytes(buffer);
	// if there is a paymaster, then encode it's gas settings
	if (flags & 0x02 == 0x02) {
	buffer = abi.encodePacked(buffer, op.paymasterAndData[20:52]);
	}
	console2.log("op.signature.length:", op.signature.length);
	console2.logBytes(op.signature);
	// encode `signature` content
	buffer = abi.encodePacked(buffer, uint32(op.signature.length), op.signature);
	console2.logBytes(buffer);
	return LibZip.flzCompress(buffer);
	}

unchecked-transfer

Impact: High
Confidence: Medium

• ID-1
  AaveWithdrawWorkflow.withdraw(address,uint256) ignores return value by IERC20(asset).transfer(safe,fee)

kinto-core/src/access/workflows/AaveWithdrawWorkflow.sol

Lines 50 to 64 in 02f8266

	function withdraw(address asset, uint256 amount) public returns (uint256) {
	address pool = poolAddressProvider.getPool();
	// If amount is max uint256, withdraw all available
	if (amount == type(uint256).max) {
	amount = IERC20(IAavePool(pool).getReserveData(asset).aTokenAddress).balanceOf(address(this));
	}
	// Withdraw from Aave
	IAavePool(pool).withdraw(asset, amount, address(this));
	// Send the fee to the Safe
	uint256 fee = amount * FEE / 1e18;
	IERC20(asset).transfer(safe, fee);
	return amount - fee;
	}

[codecov]

Codecov Report

Attention: Patch coverage is 97.77778% with 1 line in your changes missing coverage. Please review.

Project coverage is 88.70%. Comparing base (bd848da) to head (3af76f4).

Files with missing lines	Patch %	Lines
src/paymasters/SponsorPaymaster.sol	94.44%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #207      +/-   ##
==========================================
+ Coverage   88.65%   88.70%   +0.05%     
==========================================
  Files          41       41              
  Lines        2521     2533      +12     
==========================================
+ Hits         2235     2247      +12     
  Misses        286      286              

Files with missing lines	Coverage Δ
src/access/AccessPoint.sol	66.66% <ø> (ø)
src/access/AccessRegistry.sol	93.02% <ø> (ø)
src/inflators/KintoInflator.sol	85.79% <100.00%> (+0.58%)	⬆️
src/wallet/KintoWallet.sol	94.50% <100.00%> (ø)
src/paymasters/SponsorPaymaster.sol	91.60% <94.44%> (+0.33%)	⬆️