Nerdiest Political Manifesto
    Severity: critical

    Incorrect Account Used for Signing



    Versions of @metamask/eth-ledger-bridge-keyring prior to 0.2.2 may use incorrect accounts for signing transactions.

    The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.

    Any usage of this package to sign with a BIP44 account other than the first account may be vulnerable. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.


    Upgrade to version 0.2.2 or later.


    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      May 20th, 2020
    2. reported

      Reported by Unknown
      Mar 26th, 2020