Ackee Blockchain (https://ackeeblockchain.com/).
The final audit was performed on commit 1981fbc63e3850d626074d81d22a198afe64ac03.
There are two acknowledged findings from the audit report:
- W2: Usage of
solcoptimizerAfter careful consideration, we decided to enable the optimizer for the following reasons:
- The most critical functionality, such as signature checks and replay protection, is handled by the Safe and Entrypoint contracts.
- The entrypoint contract uses the optimizer.
- I4: Contract does not allow to specify
validAfterandvalidUntilparametersWe are choosing not to support this feature at the moment but may implement it in a follow-up revision of the module.
The contract does not include all the User Operation parameters in its signature mechanism. Notably, the two missing parameters are initCode and paymasterAndData. This allows a malicious actor to execute a Safe operation with different initCode (causing potentially additional gas fees to the user) or paymasterAndData (causing the user to pay for gas fees in Ether despite not expecting it) than what the user originally intended. See section M1 from the v0.2.0 audit report.