By Mat Di Salvo
2 min read
A “high-severity” vulnerability was this month discovered in the Argent Ethereum smartphone wallet which, if left unchecked, could have led to funds being stolen from users.
In a blog post published Thursday, security audit firm OpenZeppelin said that the vulnerability was in wallets that didn’t have the “guardian feature” activated.
The guardian feature allows trusted accounts permission to execute specific actions on the wallet. Guardians can be hardware wallets, MetaMask accounts, other Ethereum accounts held by friends or family members, or a two-factor authentication tool.
OpenZeppelin said that the vulnerability would allow hackers to drain funds from the wallets—and users would only be able to stop the attack in less than 36 hours.
The vulnerability spotted on June 12, identified at least 329 wallets that were at risk. The wallets held 162 ETH ($37,000) in funds.
OpenZeppelin added that another 5,513 wallets with no guardians were detected which would become vulnerable as soon as they upgraded to the latest version of software—but Argent said most of these wallets were inactive.
Argent was quick to fix the bug and user funds are now safe, OpenZeppelin said. Argent contacted affected users the day after its June 12 discovery, and by June 19, Argent fixed and updated the vulnerable smart contract (a piece of blockchain code) and released a new version of the wallet.
“Upon our private disclosure of the vulnerability to Argent, immediate action from their team and affected users was required to keep funds safe,” the blog post read.
All wallets now have the guardian feature immediately enabled—but wallets created March 30 did not have it automatically turned on, and were therefore vulnerable.
The blog post added that “OpenZeppelin and Argent collaborated throughout the entire responsible disclosure process to prevent Argent affected users losing funds.” Argent is a popular Ethereum wallet for smartphones. Its founder, Itamar Lesuisse, has called it the “simplest and safest place for your crypto.”
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.