Ethereum Blog

Security Alert – Smart Contract Wallets created in frontier are vulnerable to phishing attacks

Introduction

user

Fabian Vogelsteller

Author, Meteorjs enthusiast and Web3.js and Mist developer for the ethereum project and creator of the feindura - flat file based CMS.


LATEST POSTS

Security Alert – Mist can be vulnerable when navigating to malicious DApps 27th October, 2016

Ethereum Wallet – Developer Preview 16th September, 2015

Security

Security Alert – Smart Contract Wallets created in frontier are vulnerable to phishing attacks

Posted on .

Affected configurations: All smart contract wallets created using Ethereum Wallet  Frontier, version 0.4.0 (Beta 7) or earlier. Wallets created with Ethereum Wallet 0.5.0 and all later versions released after March 3, 2016, are not affected.

Likelihood: Low

Severity: High

Summary:

Do not use wallet contracts or owner accounts of those wallets that were created by the Ethereum Wallet 0.4.0 or earlier. If you send to (or interact with) a malicious contract it could take ownership of your wallet contract. Create a new wallet and move your funds.

How to be super safe??

Don’t use the vulnerable wallet contracts, AND the owner accounts of these wallets to send ether and interact with contracts you don’t know!
If you don’t use these accounts and wallets, and upgrade your wallet as 
described here, you are safe!

Details:

An attack vector was discovered that affects the smart contract wallets created before the Homestead release (Frontier phase). The attack can happen if an affected wallet interacts with a malicious contract OR if the owner account of an affected wallet interacts with a malicious contract that knows the address of his wallet. An attacker can then impersonate the owner and thus can steal funds or tokens and change the owner of the wallet.

If you do not use your wallet and owner accounts with contracts you don’t know, you are safe!

Receiving Ether and sending Ether to non-contract accounts is fine.

Also if you configured your wallet with multisig, you are safer, as the attacker would need to make you send with all owners to malicious contract(s).

 

Proposed solution:

We recommend that if you created a wallet using the affected versions, you take one of these steps:

  • Create a new wallet with the latest version of Ethereum Wallet (any version from 0.5.0 or newer) and move your funds there. You can follow these steps.
  • Until you do the above, do not use any account which is an owner of an affected wallet, or the affected wallet itself to interact with closed source or otherwise unknown contracts that might trigger arbitrary actions (including forwarding Ether). Send/interact only to addresses you own, or know!
  • Create a secondary account for your every day usage. This one should not be connected to your contract wallets

 

Remedial action taken by Ethereum Foundation:

We created a new Ethereum Wallet release 0.7.6, which will detect your vulnerable wallets.

Download the latest release and follow the steps described in the release notes to update your vulnerable wallets!

https://github.com/ethereum/mist/releases/tag/0.7.6

 

profile

Fabian Vogelsteller

http://frozeman.de

Author, Meteorjs enthusiast and Web3.js and Mist developer for the ethereum project and creator of the feindura - flat file based CMS.

Comments
user

Author It’s Not An Ξrror

Posted at 2:13 pm June 24, 2016.

Can we have the contract code of this bug in order to see what not to do ?

Reply
    user

    Author Shannon Code

    Posted at 3:17 pm June 24, 2016.

    Which piece is vulnerable?

    Reply
    user

    Author Fabian Vogelsteller

    Posted at 3:53 pm June 24, 2016.

    I think its better to wait until most of the people upgraded to explain this vulnerability in detail 😉

    Reply
      user

      Author noharkfork

      Posted at 6:22 pm June 24, 2016.

      There’s nothing like security by obscurity…

      Reply
user

Author Frantic Bedlamite

Posted at 4:20 pm June 24, 2016.

When I run this new updated version I get stuck on “Looking for peers” screen, and it does not seem to search for nodes at all.

Reply

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

View Comments (5) ...
Navigation