Account Vulnerability Disclosure
No funds were lost and accounts are secure
On Monday, February 17th, 2020, our team received a vulnerability disclosure from samczsun. The vulnerability takes advantage of the order of operations in one of the account contract’s meta transaction functions and allows an attacker take control of the account. Please see samczsun’s detailed write up here. Thanks to the responsible disclosure, our team was able to quickly triage the issue and execute on a plan to secure users’ funds that evening. We’re relieved to say that no funds were lost and users are in complete control of their accounts.
The fix
To fix the issue, we used the exploit to force upgrade the account to the patched implementation, and then released control back to the user. We were able to do this with nearly zero interruption in service and without losing a penny of the $11,422.64 that was at risk.
Moving forward
We’re a new project and have big plans for our smart contracts. As we continue to iterate, we’ll be engaging in additional security audits to get more eyes on the code. Also, the auditing firm we previously engaged with has graciously offered to put the cost of the audit towards a bug bounty for Authereum with half of those funds going to samczsun for this discovery. Lastly, we plan on exploring options with Nexus Mutual to provide coverage for users in the event of an exploited smart contract vulnerability in the future.
Conclusion
If you’re working on a project in the Ethereum space, you hope to never receive a message from samczsun. No individual has come close his volume of critical vulnerabilities discovered in live projects on the Ethereum network. While it’s never fun to receive bad news, we’re incredibly thankful for the work samczsun has done not just to secure Authereum, but our space as whole. We’re humbled and incredibly impressed. Well done samczsun. 👏
Further reading
- Authereum, meet Parity — samczsun
