Affected configurations: All sensible contract wallets created utilizing Ethereum Pockets Frontier, model 0.4.0 (Beta 7) or earlier. Wallets created with Ethereum Pockets 0.5.0 and all later variations launched after March 3, 2016, should not affected.
Chance: Low
Severity: Excessive
Abstract:
Don’t use pockets contracts or proprietor accounts of these wallets that have been created by the Ethereum Pockets 0.4.0 or earlier. When you ship to (or work together with) a malicious contract it may take possession of your pockets contract. Create a brand new pockets and transfer your funds.
Tips on how to be tremendous secure??
Do not use the weak pockets contracts, AND the proprietor accounts of those wallets to ship ether and work together with contracts you do not know!
When you do not use these accounts and wallets, and improve your pockets as described right here, you’re secure!
Particulars:
An assault vector was found that impacts the sensible contract wallets created earlier than the Homestead launch (Frontier part). The assault can occur if an affected pockets interacts with a malicious contract OR if the proprietor account of an affected pockets interacts with a malicious contract that is aware of the deal with of his pockets. An attacker can then impersonate the proprietor and thus can steal funds or tokens and alter the proprietor of the pockets.
If you don’t use your pockets and proprietor accounts with contracts you do not know, you’re secure!
Receiving Ether and sending Ether to non-contract accounts is ok.
Additionally if you happen to configured your pockets with multisig, you’re safer, because the attacker would wish to make you ship with all homeowners to malicious contract(s).
Proposed answer:
We advocate that if you happen to created a pockets utilizing the affected variations, you’re taking one in every of these steps:
- Create a brand new pockets with the most recent model of Ethereum Pockets (any model from 0.5.0 or newer) and transfer your funds there. You possibly can observe these steps.
- Till you do the above, don’t use any account which is an proprietor of an affected pockets, or the affected pockets itself to work together with closed supply or in any other case unknown contracts which may set off arbitrary actions (together with forwarding Ether). Ship/work together solely to addresses you personal, or know!
- Create a secondary account on your each day utilization. This one shouldn’t be linked to your contract wallets
We created a brand new Ethereum Pockets launch 0.7.6, which is able to detect your weak wallets.
