Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Brief/Intro
TractorFacet is incompatible with the upcoming EIP-7702 standard, which will cause signature verification to fail for smart contract accounts. This will prevent users from utilizing the contract if they have converted their EOA to a smart contract account, resulting in denial of service for those users.
Vulnerability Details
EIP-7702 is a standard that allows smart contracts to behave like user accounts, thereby extending the user account landscape of Externally Owned Accounts (EOA) with smart contract accounts.
To verify the signatures, the TractorFacet contract uses the OpenZeppelin ECDSA library that makes a call to the ecrecover precompile contract, which is incompatible with smart contract accounts.
The issue is located at: https://arbiscan.io/address/0xcb84F1a368f303798DB6d9cE7B4084Aaf316479b which is part of diamond proxy https://arbiscan.io/address/0xD1A0060ba708BC4BCD3DA6C37EFa8deDF015FB70
The Pectra upgrade is going to be implemented in April of 2025, and other EVM blockchains will hard-fork to support EIP-7702.
Impact Details
Functions of TractorFacet will be reverted if a user allows their EOA to set its code based on any existing smart contract. This will prevent affected users from using the contract's functionality, causing a denial of service for those specific users.
To enable EIP-1271 smart contract account signature checks, consider using the SignatureChecker library instead of the current ECDSA implementation. This would make the contract compatible with both traditional EOAs and smart contract accounts.
BIC Response
With the description provided, it's unclear what is the vulnerability or impact arising from this change. It does not seem that EIP-7702 will disrupt existing use cases, or prevent future Tractor operations. Therefore we are closing this submission