Incorrect Account Used for Signing

Type nodejs
Reporter Unknown
Modified 2020-05-20T00:30:38



Versions of @metamask/eth-ledger-bridge-keyring prior to 0.2.2 may use incorrect accounts for signing transactions.

The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.

Any usage of this package to sign with a BIP44 account other than the first account may be vulnerable. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.


Upgrade to version 0.2.2 or later.