Cryptocurrency infrastructure firm Fireblocks has identified and assisted in tackling what it describes as the first account abstraction vulnerability within the Ethereum ecosystem.
An announcement on Oct. 26 unpacked the discovery of an ERC-4337 account abstraction vulnerability in the smart contract wallet UniPass. The two firms worked together to address the vulnerability, which was reportedly found in hundreds of mainnet wallets during a ‘whitehat’ hacking operation.
According to Fireblocks, the vulnerability would allow a potential attacker to carry out a full account takeover of UniPass wallet by manipulating Ethereum's account abstraction process.
As per Ethereum’s developer documentation on ERC-4337, account abstraction allows for a shift in the way transactions and smart contracts are processed by the blockchain to provide flexibility and efficiency.
Related: Account abstraction will drive a billion users from Asia to Web3: ConsenSys exec
Conventional Ethereum transactions involve two types of accounts, externally owned accounts (EOAs) and contract accounts. EOAs are controlled by private keys and can initiate transactions, while contract accounts are controlled by the code of a smart contract. When an EOA sends a transaction to a contract account, it triggers the execution of the contract's code.
Account abstraction introduces the idea of a meta-transaction or more generalized abstracted accounts. Abstracted accounts are not tied to a specific private key and are able to initiate transactions and interact with smart contracts just like an EOA.
As Fireblocks explains, when an ERC-4337-compliant account executes an action, it relies on the Entrypoint contract to make sure only signed transactions get executed. These accounts typically trust an audited single EntryPoint contract to ensure that it receives permission from the account before executing a command:
“It’s important to note that a malicious or buggy entrypoint could, in theory, skip the call to “validateUserOp” and just call the execution function directly, as the only restriction it has is that it’s called from the trusted EntryPoint.”
According to Fireblocks, the vulnerability allowed an attacker to gain control of UniPass wallets by replacing the trusted EntryPoint of the wallet. Once the account takeover was complete, an attacker would be able to access the wallet and drain its funds.
Several hundred users that had the ERC-4337 module activated in their wallets were vulnerable to the attack which could be performed by any actor on the blockchain. The wallets in question only held small amounts of funds and the issue has been mitigated at an early stage.
Having ascertained that the vulnerability could be exploited, Fireblocks’ research team managed to carry out a whitehat operation to patch the existing vulnerabilities. This involved actually exploiting the vulnerability:
“We shared this idea with the UniPass team, who took it upon themselves to implement and run the whitehat operation.”
Ethereum co-founder Vitalik Buterin previously outlined challenges in expediting the proliferation of account abstraction functionality, which includes the need for an Ethereum Improvement Proposal (EIP) to upgrade EOAs into smart contracts and ensuring the protocol works on layer-2 solutions.
Magazine: Ethereum restaking: Blockchain innovation or dangerous house of cards?
