
The Factory.deploy function uses create2 to deploy a wallet but reverts (CreateCollision) if address already exists.
Per ERC-4337, factories that use deterministic creation must return the account address even if the account was already created (eip-4337) so bundlers and entryPoint.getSenderAddress() can simulate/obtain the counterfactual address without failing. The current implementation breaks that invariant: calling the factory when the account already exists will revert instead of returning the existing address, which can break ERC-4337 flows (simulations, getSenderAddress, bundler logic, UX).
If the factory does use CREATE2 0xF5 or some other deterministic method to create the Account, it’s expected to return the Account address even if it had already been created.
Additionally, Sequence’s wallet implementation and README expect ERC-4337 compatibility (implements validateUserOp etc.), so factory behavior is important for integration README#erc-4337-integration.
Alpha: ERC4337 factory functions must not revert when getting the account address, even if the account is already created.
Conclusion
This finding would earn you $5882, requiring mostly ERC4337 knowledge.