A vulnerability in the Argent wallet would have enabled attackers in stealing funds from users that have no guardians.
Argent wallet vulnerability exploited
The guardian feature allows users to control certain actions of a wallet such as a wallet recovery and locking it. To create an account on the platform, users need to set up guardians. However, accounts created before March 30, 2020, could be set up without a guardian.
Attackers exploited a bug in Argent’s code and triggered a recovery process on accounts that have not set up a guardian. However, users can protect their funds by regularly monitoring their wallets and canceling the recovery request within 36 hours of its issuance.
This is a default recovery period that can now be used to protect user funds. However, if the user blocks a recovery attempt, the bug in the wallet leaves them vulnerable to a denial of service attack that might freeze their funds for an indefinite period of time.
This can be done by repeatedly requesting a wallet recovery so that the account remains in the recovery period and the user will be unable to access the funds.
Argent’s team reported that they would use OpenZeppelin’s fix that would stop attackers from triggering a wallet recovery. Due to the great number of wallets that have no guardians, the firm suggested the addition of a function that would ensure that if a wallet has zero guardians, the request will not be returned.
Argent revealed that it was already contacting affected users to set up at least one guardian for their wallet.