Zero-Click Argent-X Wallet Contract Vulnerability, Explained

A Tale of Two Versions

In the recent StarkNet v0.10.0 released about over a month ago, the protocol introduced a new transaction version level (v1) that changes the way Starknet Account Contracts should verify transactions by separating transaction validation logic from transaction execution logic (the verification itself is still done as part of the account contract — but now the StarkNet OS is calling it). This is beneficial as it allows the StarkNet OS to verify the transaction's validity before running it, thus preventing DDoS attacks from an attacker that cannot produce a valid signature.

The support for transactions running with the old version (v0) was still intact to allow users to gradually migrate to the new OS-account contract verification scheme.

Since the OS supports both transaction versions (v0 and v1), the account contract also has to support both.

The Signature Validation Process

The power of smart contract-based wallets (a.k.a Account Abstraction) is that it allows, among other things, an arbitrary verification logic. But as they say, with great power comes great responsibility.

Allowing arbitrary verification logic means that the account contract can decide which verification logic to run — it can run the native protocol verification or one that is coded on its own.

(again, the difference between transaction v0 and v1 is who calls this verification logic function — the contract or the OS).

However, in the current state of the network, an account should expect to get both kinds of transactions but can decide that it supports only the newer transaction version — v1.

….

To learn more about Zero-Click vulnerability, please visit Braavos’ original article: Zero-Click Argent-X Wallet Contract Vulnerability, Explained

To access the Starknet ecosystem and see the power of account abstraction live, download the Braavos Wallet app and join the discussion on Discord.