Fireblocks reportedly aided UniPass, a smart contract wallet, in addressing a vulnerability linked to ERC-4337 account abstraction.
A cryptocurrency infrastructure company, Fireblocks, discovered and assisted in resolving a vulnerability connected to account abstraction within the Ethereum ecosystem.
On October 26th, Fireblocks announced its discovery of a vulnerability in the UniPass smart contract wallet, related to ERC-4337 account abstraction. The two companies collaborated to rectify the vulnerability unveiled during a white hat hacking operation, which revealed that hundreds of mainnet wallets were at risk.
Fireblocks stated that the vulnerability would have allowed an attacker to completely take over a UniPass Wallet by manipulating Ethereum’s account abstraction process.
According to Ethereum’s documentation, ERC-4337’s account abstraction mechanism allows for more flexibility and efficiency in how transactions and smart contracts are processed by the blockchain.
On a traditional Ethereum network, transactions occur from one of two types of accounts: externally owned accounts (EOAs), controlled by private keys, or contract accounts, managed by smart contract code.
Account abstraction introduces the concept of meta-transactions, which are more generalized and flexible than traditional transactions. An abstracted account is not associated with a specific private key but can still initiate transactions and interact with smart contracts, just like a traditional Ethereum account.
As Fireboy explained, when an ERC-4337-compliant account, also known as an abstracted account, wants to execute an action, it relies on the Entrypoint contract to ensure that only signed transactions get executed.
An abstracted account will only execute a command if it receives permission from the EntryPoint contract.
“It’s important to note that a malicious or buggy entry point could, in theory, skip the call to “validateUserOp” and just call the execution function directly, as the only restriction it has is that it’s called from the trusted EntryPoint.”
Fireblocks said that the vulnerability allows an attacker to gain control of a UniPass wallet by replacing the trusted EntryPoint with a malicious one. Once an attacker replaces the trusted EntryPoint of a UniPass wallet, they can access and drain the funds in the wallet.
Several individuals, numbering in the hundreds, found themselves vulnerable to a potential attack due to the activation of the ERC-4337 module within their wallets. Any participant in the blockchain could exploit this vulnerability.
The wallets affected by the vulnerability did not contain large amounts of funds, and the issue was identified and resolved quickly.
Fireblocks’ research team, upon determining that the vulnerability could be exploited, carried out a white hat operation to patch the issue and prevent any further damage. This involved exploiting the vulnerability:
“We shared this idea with the UniPass team, who took it upon themselves to implement and run the whitehat operation.”
Ethereum co-founder Vitalik Buterin outlined several challenges that need to be overcome to make account abstraction more widespread, including the need for an Ethereum Improvement Proposal (EIP) and compatibility with layer-2 solutions.
Read also: Report: Q3 blockchain gaming Unique Active Wallet surpasses Q2