Researchers at cryptographic security company OpenZeppelin discovered a high-severity vulnerability in the Argent Ethereum wallet, which can result in the loss of funds stored within this wallet.
In a publication Recently, the research and security company OpenZeppelin revealed that it had found a serious error in the implementation of the Argent wallet, which allows a hacker to prevent the use of the cryptocurrencies stored within these wallets.
OpenZeppelin reported that this error gives rise to a possible attack of DoS (denial of service) through which a user's access to their wallet can be prevented, freezing the funds available in the wallet indefinitely. Likewise, the company noted that once users are under attack, it is almost impossible to stop the attack vector and recover funds, since once it starts, the user only has 36 hours to try to stop it.
For their part, the Argent Ethereum developers thanked OpenZeppelin for their efforts to detect and correct the vulnerability, reporting that the wallets that were at risk are now out of danger.
At the same time, they took quick action to eliminate the risk and protect users.
It may interest you: Alert: Lighting Network user funds may be at risk of theft
Details of the report issued by OpenZeppelin
According to the analysis carried out by the company, around 329 Argent Ethereum wallets are at serious risk, in addition to 162 units of ETH that are stored within these wallets. Likewise, OpenZeppelin pointed out that 5.513 wallets were identified without the “guardian” function, so when they are updated to the latest version of Argent they will begin to be vulnerable to this attack. The security company also reported that the majority of these wallets are inactive and that Argent considers that they are no longer users of the company.
“Our initial analysis reported 329 wallets at immediate risk on the mainnet, with almost 162 ETH in total holdings, plus additional amounts of DeFi tokens and holdings. Additionally, we identified 5513 unguarded wallets that would become vulnerable as soon as they were updated to the latest version of Argent contracts; although Argent reports that most of them are inactive and should not be considered Argent users.”
To fix the vulnerability, Argent updated the smart contract (Smart contract) that was vulnerable within the main network, releasing an updated version of the wallet software. Furthermore, Argent notes which privately contacted all users who were vulnerable to the attack to inform them of the wallet correction and update process. Now both companies reported that the problem was resolved and that no users were affected by the situation, so all funds at risk are now safely stored.
Argent Guardians, a solution that keeps your funds safe
Argent is a mobile wallet that uses a security protocol based on Guardians, which serve as a bridge for users to recover their wallets automatically and without the need for an initial phrase. Argent guardians can be run by other wallet users, or even by external wallets like Dappradar or others Wallets hardware.
In the current implementation of Argent wallets, the use of at least one guardian is mandatory, in case the wallet needs to be recovered. Without a guardian it is impossible to recover an Argent wallet, its developers explain.
“Having at least one Guardian is mandatory for new wallets, but when we first launched we gave people the option, while also making it clear that a wallet without a Guardian cannot be recovered.”
In order for a user to recover their wallet, they only have to contact their guardian or guardians so that they can sign a proof that certifies said user's ownership of the wallet they want to recover. So the security protocol with guardians works in a similar way, at least in form, to seeds (seed) of the deterministic wallets, which allow users to restore their wallets by simply entering their seed phrase and a personal key.
In the case of Argent guardians, the signed proofs are sent to the wallet through a command, which allows checking that if the majority of the guardians have signed their proof, then the user is the real owner and can start recovering your wallet and your funds.
Continue reading: Trezor presents an update that can fix the vulnerability detected in SegWit
