Fireblocks has stepped in to assist UniPass, a smart contract wallet, in addressing a critical vulnerability known as ERC-4337 account abstraction.
Fireblocks, a leading cryptocurrency infrastructure firm, has identified and actively collaborated in mitigating what they consider to be the initial instance of an account abstraction vulnerability within the Ethereum ecosystem. On the 26th of October, they unveiled the revelation of an ERC-4337 account abstraction vulnerability residing in UniPass, a smart contract wallet. The two organizations joined forces to address this vulnerability, which reportedly afflicted numerous mainnet wallets during a white-hat hacking initiative.
According to Fireblocks, this vulnerability potentially empowers malicious actors to orchestrate a complete takeover of the UniPass Wallet by manipulating Ethereum’s account abstraction process. As per Ethereum’s developer documentation regarding ERC-4337, account abstraction introduces a paradigm shift in how transactions and smart contracts are processed by the blockchain, thereby enhancing flexibility and efficiency.
Conventional Ethereum transactions revolve around two distinct types of accounts: externally owned accounts (EOAs) and contract accounts. EOAs are under the control of private keys and are capable of initiating transactions, while contract accounts are overseen by the code governing a smart contract. When an EOA dispatches a transaction to a contract account, it triggers the execution of the contract’s underlying code.
Account abstraction introduces the concept of a meta-transaction or more generalized abstracted accounts. These abstracted accounts aren’t bound to specific private keys and can initiate transactions and interact with smart contracts, much like EOAs.
Fireblocks elucidates that when an account conforming to ERC-4337 executes an action, it relies on the Entrypoint contract to ensure that only authorized transactions are executed. Typically, these accounts place their trust in a thoroughly audited single EntryPoint contract to guarantee that it obtains authorization from the account before executing a command. Fireblocks underlines the significance by stating, “It’s imperative to note that a malicious or flawed entrypoint could, in theory, bypass the ‘validateUserOp’ call and directly invoke the execution function, as its sole constraint is being invoked from the trusted EntryPoint.”
According to Fireblocks, the vulnerability opened the door for an attacker to seize control of UniPass wallets by substituting the trusted EntryPoint of the wallet. Once the account takeover was successful, the attacker gained access to the wallet and could deplete its funds. Several hundred users who had activated the ERC-4337 module in their wallets were susceptible to this threat, which could have been initiated by any actor in the blockchain. It’s worth noting that the wallets in question contained relatively modest sums of funds, and the problem was addressed promptly.
After recognizing the potential for exploitation, Fireblocks’ research team conducted a white-hat operation to rectify the existing vulnerabilities. Remarkably, this operation involved actively exploiting the vulnerability. Fireblocks reports, “We shared this idea with the UniPass team, who took it upon themselves to implement and execute the whitehat operation.”
Ethereum co-founder Vitalik Buterin had previously highlighted the challenges in expediting the proliferation of account abstraction functionality. This endeavor necessitates an Ethereum Improvement Proposal (EIP) to transition EOAs into smart contracts, ensuring the protocol is compatible with layer-2 solutions.