QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$11 000 USD
FEBRUARY 2020
GLOBAL
AUTHEREUM
DESCRIPTION OF EVENTS
"Authereum was founded May 15th 2019, by Chris Whinfrey, Miguel Mota and Shane Fontaine." "We’re a new project and have big plans for our smart contracts."
"Authereum is an Ethereum-based wallet and dApp login solution. It allows users to easily interact with web 3 applications via any browser, using nothing but a username and password." "By enabling the use of just a username and password, Authereum has removed the need for the additional installation of any extra software, greatly improving accessibility for non-technical users."
"No downloads, no seed phrases. Simply, the best Web3 experience at your fingertips. Built by blockchain security experts to keep your assets safe. You and only you can access your funds. Add recovery accounts in case you lose access to your account. Add Google Authenticator or hardware keys as an extra layer of protection for your account. Top decentralized projects trust Authereum. Only you can access your assets. Each account is 100% non-custodial, allowing you and only you to access your funds. You’re safe even if our servers get compromised. Access to your tokens, collectibles and last transactions anytime and with any device. Integrate directly by Authereum or use your favorite web3 library."
A "smart contract audit was prepared by Quantstamp" on "2020-01-21 through 2020-02-03". "The scope of the audit was limited to the contracts located in two folders: account and upgradeability. The code is overall well-written and documented."
"On Monday, February 17th, 2020, [the Authereum] team received a vulnerability disclosure from samczsun. The vulnerability takes advantage of the order of operations in one of the account contract’s meta transaction functions and allows an attacker take control of the account. Please see samczsun’s detailed write up here."
"Thanks to the responsible disclosure, [the] team was able to quickly triage the issue and execute on a plan to secure users’ funds that evening. We’re relieved to say that no funds were lost and users are in complete control of their accounts."
"To fix the issue, [they] used the exploit to force upgrade the account to the patched implementation, and then released control back to the user. [They] were able to do this with nearly zero interruption in service and without losing a penny of the $11,422.64 that was at risk."
"As we continue to iterate, we’ll be engaging in additional security audits to get more eyes on the code. Also, the auditing firm we previously engaged with has graciously offered to put the cost of the audit towards a bug bounty for Authereum with half of those funds going to samczsun for this discovery. Lastly, we plan on exploring options with Nexus Mutual to provide coverage for users in the event of an exploited smart contract vulnerability in the future."
Now you can give access to your funds from anywhere with just a single username and password. A great feature for the average user who isn't the best at making secure passwords, operates often on computers which are public or contain malware, and often will use the same password for multiple accounts. Free yourself from the need to save a backup of anything! If you want, you can even set up a complex feature so that when you lose your phone or it gets damaged, it generously and permanently donates all your funds to the blockchain network of your choice.
As a special bonus, this system depends on a smart contract which comes with an additional vulnerability which wasn't found in the smart contract audit. Luckily, only $11,400 USD of funds were at risk and the vulnerability was found before it was exploited.
HOW COULD THIS HAVE BEEN PREVENTED?
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
Account Vulnerability Disclosure (Jun 23)
Authereum, meet Parity (Jun 23)
Authereum (Jul 30)
Authereum Overview - Cross-Browser Ethereum Wallet for DeFi (Jul 30)
Authereum Reviews and Pricing 2021 (Jul 30)
Authereum, meet Parity (Jul 30)
Quantstamp Contract Security Certificate - Authereum (Jul 30)
