Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Fireblocks and UniPass wallet address vulnerability in Ethereum ERC-4337 account abstraction.
Fireblocks, a cryptocurrency infrastructure company, has pinpointed and helped address what it refers to as the inaugural account abstraction vulnerability within the Ethereum ecosystem.
An announcement made on Oct. 26 detailed the identification of an ERC-4337 account abstraction vulnerability in the smart contract wallet UniPass. The two organizations collaborated to resolve the vulnerability, which was reportedly detected in numerous mainnet wallets during a ‘whitehat’ hacking initiative.
Fireblocks indicated that the vulnerability could enable a potential attacker to execute a complete account takeover of the UniPass wallet by manipulating Ethereum’s account abstraction mechanism.
According to Ethereum’s developer documentation regarding ERC-4337, account abstraction facilitates a transformation in how transactions and smart contracts are processed by the blockchain, enhancing flexibility and efficiency.
Related: Account abstraction will drive a billion users from Asia to Web3: ConsenSys exec
Traditional Ethereum transactions involve two categories of accounts: externally owned accounts (EOAs) and contract accounts. EOAs are governed by private keys and can initiate transactions, while contract accounts are managed by the code of a smart contract. When an EOA sends a transaction to a contract account, it activates the execution of the contract’s code.
Account abstraction introduces the concept of a meta-transaction or more generalized abstracted accounts. Abstracted accounts are not linked to a specific private key and can initiate transactions and interact with smart contracts similarly to an EOA.
Related Posts
As Fireblocks clarifies, when an ERC-4337-compliant account performs an action, it depends on the Entrypoint contract to ensure that only signed transactions are executed. These accounts generally rely on an audited single EntryPoint contract to confirm that it receives authorization from the account before executing a command:
“It’s important to note that a malicious or buggy entrypoint could, in theory, skip the call to “validateUserOp” and just call the execution function directly, as the only restriction it has is that it’s called from the trusted EntryPoint.”
Fireblocks reported that the vulnerability enabled an attacker to take control of UniPass wallets by substituting the trusted EntryPoint of the wallet. Once the account takeover was accomplished, an attacker would gain access to the wallet and could deplete its funds.
Several hundred users with the ERC-4337 module activated in their wallets were susceptible to the attack, which could be executed by any participant on the blockchain. The wallets in question contained only small amounts of funds, and the issue has been addressed at an early stage.
After confirming that the vulnerability was exploitable, Fireblocks’ research team conducted a whitehat operation to rectify the existing vulnerabilities. This involved actively exploiting the vulnerability:
“We shared this idea with the UniPass team, who took it upon themselves to implement and run the whitehat operation.”
Ethereum co-founder Vitalik Buterin previously highlighted challenges in accelerating the adoption of account abstraction functionality, which includes the necessity for an Ethereum Improvement Proposal (EIP) to upgrade EOAs into smart contracts and ensuring the protocol operates on layer-2 solutions.
Magazine: Ethereum restaking: Blockchain innovation or dangerous house of cards?
