Skip to main content
Sigvex

ERC-6900 Modular Account

Detects security issues in modular smart account implementations including plugin validation gaps, execution hook bypass, and module isolation failures.

ERC-6900 Modular Account

Overview

The ERC-6900 modular account detector identifies security vulnerabilities in modular smart account implementations. ERC-6900 defines a standard for modular smart accounts where plugins (modules) can be installed to extend account functionality. Flaws in plugin validation, execution hook ordering, or module isolation can allow malicious plugins to escalate privileges or bypass security checks.

Why This Is an Issue

Modular accounts allow third-party plugins to handle validation, execution, and hooks. Security issues include:

  • Plugin installation without validation: Installing a malicious plugin that overwrites the validation function.
  • Hook execution order manipulation: Plugins that skip or reorder pre-execution hooks.
  • Cross-plugin state corruption: One plugin modifying storage used by another.
  • Uninstallation residue: Plugin removal leaving active hooks or stale permissions.

How to Resolve

// Ensure plugin installation validates permissions
function installPlugin(
    address plugin,
    bytes32 manifestHash,
    bytes calldata installData
) external {
    // Verify manifest hash matches expected plugin interface
    require(IPlugin(plugin).pluginManifest() == manifestHash, "Manifest mismatch");
    // Check plugin doesn't request validation override for critical selectors
    require(!_overridesCriticalSelectors(plugin), "Critical override blocked");
    _installPlugin(plugin, installData);
}

Examples

Sample Sigvex Output

{
  "detector_id": "erc6900-modular-account",
  "severity": "high",
  "confidence": 0.68,
  "description": "Plugin installation function does not validate manifest hash or check for critical selector override. A malicious plugin can replace the validation function, gaining full account control.",
  "location": { "function": "installPlugin(address,bytes32,bytes)", "offset": 28 }
}

Detection Methodology

  1. ERC-6900 interface matching: Identifies contracts implementing IModularAccount by selector analysis.
  2. Plugin lifecycle audit: Checks install/uninstall/update paths for manifest validation and permission checks.
  3. Hook ordering verification: Verifies pre/post execution hooks cannot be bypassed via direct calls.
  4. Isolation analysis: Checks for delegatecall to plugins (full storage access) vs. call (isolated execution).

Limitations

  • Plugin security depends heavily on the manifest and off-chain review; bytecode analysis alone cannot verify plugin intent.
  • ERC-6900 is an evolving standard; implementation details may change.

References