When a session call with BEHAVIOR_REVERT_ON_ERROR behavior fails, the entire execution reverts but the signature remains valid, since nonce is not yet consumed. Attackers can forge a valid partial signature from failed multi-call session, executing partial calls that were never intended to run independently.
Moreover, if an attacker has access to mempool, they can frontrun a multi-call session to execute only a subset of calls to either grief the legitimate call, or inflict financial damage to the wallet owners.
The Calls contract consumes nonces before signature validation and execution. When a call fails with BEHAVIOR_REVERT_ON_ERROR, the entire transaction reverts, including nonce consumption.
At this point, the signature is publicly visible and still valid, because nonce usage is not recorded on Calls contract yet.
Session signatures are validated per-call using individual call hashes, which makes partial signature replay attack possible:
This vulnerability also opens another huge attack vector: frontrunning. Malicious parties can monitor mempool for a multi-call session and deliberately frontrun to execute only a subset of expected calls. This can either grief the legitimate session, or cause financial damage to the wallet owners.
Alpha: this is a common bug in signature schemes, make sure it's not possible to partially execute batch signatures. Note that it reverts if the signature fails, so individual signatures can be executed after the revert tx, doesn't need frontrunning.
Conclusion
This finding would earn you $19609, and only requires knowledge of the partial signature execution attack vector.