A malicious Execution can compromise the entire batch.
Execution should not be able to be aware of each other.
ExecutionLib bleed allows sandwich & signature theft.
Date: June 15 2025
Reporter: @elyx0
Vulnerable contract: 0x63c0c19a282a1b52b07dd5a65b58948a07dae32b
Vulnerable version: 1.3.0
Vulnerability type: Unsafe assembly manipulation
Severity: Critical.
In EIP7702StatelessDeleGator
execute(ModeCode _mode, bytes calldata _executionCalldata) relies on
_executionCalldata.decodeBatch() that is vulnerable through the decodeBatch block using assembly.
Several guardrails have been made in the assembly to protect the code and spare a abi.decode() overhead to save gas but it fails to secure the calldata into its intended format.