Investing in Web 3.0 and Crypto Wallets
Cryptocurrency infrastructure firm Fireblocks recently identified and addressed the first account abstraction vulnerability within the Ethereum ecosystem. The vulnerability, found in hundreds of mainnet wallets, would have allowed a potential attacker to take over the UniPass Wallet by manipulating Ethereum’s account abstraction process.
Ethereum’s ERC-4337 account abstraction provides flexibility and efficiency in the way transactions and smart contracts are processed by the blockchain. This discovery highlights the importance of investing in Web 3.0 and crypto wallets safely.
For those looking to get involved in Web 3.0, it is essential to be aware of the risks associated with crypto hacking and how to protect your crypto wallet. Fireblocks and UniPass have provided a great example of how to successfully fight off crypto hackers.
Crypto Wallets and Account Abstraction
Conventional Ethereum transactions involve two types of accounts: externally owned accounts (EOAs) and contract accounts. EOAs are controlled by private keys and can initiate transactions, while contract accounts are controlled by the code of a smart contract. When an EOA sends a transaction to a contract account, it triggers the execution of the contract’s code.
Account abstraction introduces the idea of a meta-transaction or more generalized abstracted accounts. Abstracted accounts are not tied to a specific private key and are able to initiate transactions and interact with smart contracts, just like an EOA.
As Fireblocks explains, when an ERC-4337-compliant account executes an action, it relies on the Entrypoint contract to ensure that only signed transactions get executed. These crypto wallets typically trust an audited single EntryPoint contract to ensure that it receives permission from the account before executing a command:
According to Fireblocks, the vulnerability allowed an attacker to gain control of UniPass wallets by replacing the trusted EntryPoint of the wallet. Once the account takeover was complete, an attacker would be able to access the crypto wallet and drain its funds.
Exploiting the Vulnerability
Several hundred users who had the ERC-4337 module activated in their wallets were vulnerable to crypto hacking, which could be performed by any actor on the blockchain.The wallets in question only held small amounts of funds, and the issue was addressed at an early stage.
Having identified that the crypto vulnerability could be exploited, Fireblocks’ research team managed to carry out a white hat operation to patch the existing vulnerabilities. This involved actually exploiting the crypto vulnerability:
Ethereum co-founder Vitalik Buterin previously outlined challenges in expediting the proliferation of account abstraction functionality, which includes the need for an Ethereum Improvement Proposal (EIP) to upgrade EOAs into smart contracts and ensure the protocol works on layer-2 solutions.
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments