OpenZeppelin Discloses 'High Severity Vulnerability' in DeFi Wallet Argent

A “high severity vulnerability” was found and patched in Ethereum wallet Argent, according to leading white-hat hackers OpenZeppelin.

AccessTimeIconJun 19, 2020 at 3:28 p.m. UTC
Updated Aug 19, 2021 at 2:39 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A “high severity vulnerability” was found and patched in Ethereum wallet Argent, according to leading white-hat hackers OpenZeppelin.

Disclosed Friday, OpenZeppelin security researcher Alice Henshaw discovered a vulnerability within Argent that would have allowed user funds to be drained from wallets that did not have Argent’s “guardian” feature. 

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • According to an OpenZepplin blog post and press release, news of the discovery was first shared with Argent on June 12:

    “OpenZeppelin’s research revealed an error in the latest version of Argent’s smart contracts that would allow anyone to trigger the wallet recovery process without a signature – on any wallet with zero guardians – as soon as the wallet is upgraded.”

    If attacked, users had only 36 hours to prevent drainage of wallet funds. Even then, users could have their funds frozen through a Denial-of-Service (DoS) attack, OpenZeppelin wrote.

    According to Henshaw, the vulnerability stemmed from a March 30 wallet update. OpenZeppelin said 329 wallets with 162 ether (ETH) and undisclosed decentralized finance (DeFi) tokens were at risk. Another 5,513 wallets were vulnerable as well, once they updated to the new Argent software, the blog states.

    No Argent funds were affected and a patch has been issued, according to the firm. Henshaw received $25,000 in dai as compensation.

    “Only 61 wallets without Guardians and with the affected update were at risk,” Argent spokesman Matthew Wright told CoinDesk. “Our security model meant they had 36 hours to block it by simply tapping ‘Cancel’ in the app. 0 funds were lost. We think it highlights the benefits of having an open-source security model and we’re happy to award OpenZeppelin a bounty for their work.”

    Argent acknowledged the vulnerability in a tweet Friday morning, thanking OpenZeppelin for its work:

    In March, Argent raised $12 million in a Series A led by Paradigm Ventures. The wallet natively integrates with popular DeFi products such as Maker and Compound.

    “The vulnerability discovered by our security researchers could have led to many users losing control of their funds as they upgraded to the latest version of the Argent wallet,” OpenZeppelin CEO Demian Brener said in a statement. “The Argent team has taken quick action to fix this issue so that no user funds were impacted.”

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.