Nerdiest Political Manifesto
    Severity: critical

    Incorrect Account Used for Signing

    @metamask/eth-ledger-bridge-keyring

    Overview

    Versions of @metamask/eth-ledger-bridge-keyring prior to 0.2.2 may use incorrect accounts for signing transactions.

    The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.

    Any usage of this package to sign with a BIP44 account other than the first account may be vulnerable. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.

    Remediation

    Upgrade to version 0.2.2 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      May 20th, 2020
    2. reported

      Reported by Unknown
      Mar 26th, 2020