`addAllowedRecipients()` Function Execution Manifest Skips All Validation, Allowing Anyone to Expand Any Account's Allowlist

[Schereo]

File affected:

buidl-wallet-contracts/src/msca/6900/v0.8/modules/addressbook/ColdStorageAddressBookModule.sol

Line 238 in 3c47aa9

skipRuntimeValidation: true,

Description
The executionManifest() function in the ColdStorageAddressBookModule contract configures the addAllowedRecipients() function with skipRuntimeValidation: true.

With skipRuntimeValidation: true, the ERC-6900 validation skips all validation for runtime calls to this selector. Any external address can call account.addAllowedRecipients([attackerAddress]), and the account forwards the call to the module without checking authorization. Since msg.sender in the module is the account itself, the attacker's address is added to the account's allowlist.

Meanwhile, removeAllowedRecipients() correctly configures validations with skipRuntimeValidation: false.

Exploit scenario

1. Account has the ColdStorageAddressBookModule execution module installed.
2. An attacker calls account.addAllowedRecipients([attackerAddress]). No validation is required. The attacker's address is added to the account's allowlist.
3. The attacker as now an allowed address. The user can be phished into sending the attacker tokens.

Recommendation
Change the manifest configuration for addAllowedRecipients() to skipRuntimeValidation: false.