GoPlus: The main reason for the attack on Lumi Finance is the flaw in the signature verification of the smart account contract
According to GoPlus analysis, Lumi Finance on Arbitrum was attacked on July 13, resulting in a loss of approximately $270,000.
The vulnerability originated from a logical flaw in the validateUserOp function of the Sodium smart account contract (ERC-4337) when calling _validateSignature to verify the signature—specifically, during the execution of isValidSignatureNow, the signer parameter was passed as the attacker's address. After an error occurred in the call to ECDSA.tryRecover, it did not revert but instead called the isValidSignature function in the attack contract and passed the verification. The attacker exploited this vulnerability to execute Token approve operations during the UserOperation verification period, obtaining approval rights for ERC20 tokens from multiple smart accounts without the payer's consent.






