Severity: critical

Incorrect Account Used for Signing

@metamask/eth-ledger-bridge-keyring

Overview

Versions of @metamask/eth-ledger-bridge-keyring prior to 0.2.2 may use incorrect accounts for signing transactions.

The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.

Any usage of this package to sign with a BIP44 account other than the first account may be vulnerable. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.

Remediation

Upgrade to version 0.2.2 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    May 20th, 2020
  2. reported

    Reported by Unknown
    Mar 26th, 2020