A “high severity” vulnerability was discovered on the popular Ethereum mobile wallet Argent by researchers at OpenZeppelin, a crypto-focused cybersecurity firm.
According to a blog post from OpenZeppelin, the issue could have allowed attackers to take over the wallets of Argent users, specifically those that have not activated “guardian” features. The post says that the Argent team has now fixed the bug and contacted affected users with steps to keep their wallets safe.
The guardian feature lets Argent users give selected accounts permission to execute actions on the wallet, like locking it or approving a wallet recovery. Before March 30, 2020, users could create wallets without guardians by default. A bug in Argent’s code enabled attackers to target wallets without guardians and trigger a recovery process and steal funds.
The only way for a user to mitigate this process is to monitor their wallet and cancel the recovery request within the 36-hour default recovery period—Argent has a notification process that warns users when a recovery attempt is being made, giving them time to stop the recovery. But even if a user is able to block a false recovery attempt, the bug leaves them vulnerable to a denial of service attack that can keep their funds indefinitely frozen: the attacker can repeatedly trigger a recovery, forcing a victim to remain in the recovery period and preventing them from accessing their funds.
OpenZeppelin has identified 329 wallets holding nearly 162 ETH (~$37,000) that were at immediate risk. An additional 5,513 wallets were also identified as being potentially vulnerable to the attack.
“The Argent team has taken quick action to fix this issue so that no user funds were impacted,” said Demian Brener, CEO of OpenZeppelin.
In March, Argent raised a $12M round led by Paradigm. As reported by The Block, more than 20,000 cryptocurrency wallets have been created on the platform.
Editor’s Note: This post has been updated to clarify that Argent has a notification process to warn users when a recovery attempt is being made
© 2020 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.