ERC-6900 Modular Account
Detects security issues in modular smart account implementations including plugin validation gaps, execution hook bypass, and module isolation failures.
ERC-6900 Modular Account
Overview
The ERC-6900 modular account detector identifies security vulnerabilities in modular smart account implementations. ERC-6900 defines a standard for modular smart accounts where plugins (modules) can be installed to extend account functionality. Flaws in plugin validation, execution hook ordering, or module isolation can allow malicious plugins to escalate privileges or bypass security checks.
Why This Is an Issue
Modular accounts allow third-party plugins to handle validation, execution, and hooks. Security issues include:
- Plugin installation without validation: Installing a malicious plugin that overwrites the validation function.
- Hook execution order manipulation: Plugins that skip or reorder pre-execution hooks.
- Cross-plugin state corruption: One plugin modifying storage used by another.
- Uninstallation residue: Plugin removal leaving active hooks or stale permissions.
How to Resolve
// Ensure plugin installation validates permissions
function installPlugin(
address plugin,
bytes32 manifestHash,
bytes calldata installData
) external {
// Verify manifest hash matches expected plugin interface
require(IPlugin(plugin).pluginManifest() == manifestHash, "Manifest mismatch");
// Check plugin doesn't request validation override for critical selectors
require(!_overridesCriticalSelectors(plugin), "Critical override blocked");
_installPlugin(plugin, installData);
}Examples
Sample Sigvex Output
{
"detector_id": "erc6900-modular-account",
"severity": "high",
"confidence": 0.68,
"description": "Plugin installation function does not validate manifest hash or check for critical selector override. A malicious plugin can replace the validation function, gaining full account control.",
"location": { "function": "installPlugin(address,bytes32,bytes)", "offset": 28 }
}Detection Methodology
- ERC-6900 interface matching: Identifies contracts implementing
IModularAccountby selector analysis. - Plugin lifecycle audit: Checks install/uninstall/update paths for manifest validation and permission checks.
- Hook ordering verification: Verifies pre/post execution hooks cannot be bypassed via direct calls.
- Isolation analysis: Checks for delegatecall to plugins (full storage access) vs. call (isolated execution).
Limitations
- Plugin security depends heavily on the manifest and off-chain review; bytecode analysis alone cannot verify plugin intent.
- ERC-6900 is an evolving standard; implementation details may change.
Related Detectors
- Account Abstraction — ERC-4337 issues
- EIP-7702 Delegation — delegation target vulnerabilities
- Delegatecall — dangerous delegatecall patterns