-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wallet: Access to the account can be lost after enabling 2FA #201
base: master
Are you sure you want to change the base?
Conversation
I'm not sure I understand the full implications of this change; can you think of any reasons why the existing contract doesn't already have |
I can confirm this bug, it already killed one account. Another way to fix it in the wallet:
|
Also the wallet may check if init of 2FA was successful to continue deleting keys. This solution is absolutely must if the contract will not be updated, but even with contract update it would be good to have to keep users protected. |
I've asked @evgenykuzyakov and he confirmed that From my perspective it may be risky if previous contract affected the state somehow, filling persistent UnorderedMaps with arbitrary data. However, this problem is related to any contract at NEAR, not multisig only. I'd prefer to have a directive Also @ilblackdragon may have some thoughts as he's code author. |
@austinabell Do you have any insights into this change as far as unintended consequences go? |
My only concern is that since the state is not validated in any way, if some external tool relies on the multisig, the owner could just overwrite the current state to require only one signature for example and then sign and pass anything. Perhaps the solution involves trying to deserialize into the multisig state and if it is a valid multisig state you don't allow overwriting it? This doesn't solve the issue, but minimizes the chances of this happening by accident? Let me know if you think this is a valid concern or if I am missing something about how the owner could just overwrite the current state/requirements based on how this is actually used. |
Looks valid to me. As I said above, the state may be filled with arbitrary data that may be interpreted by contract as some instructions (exploits). However, there is not an issue of the contract itself. Both versions of the contract - with Regarding wallet, the contract version without Regarding exploits, it's still possible for attacker to write custom version of multisig and then imitate 2FA enabling with malicious contract. So @austinabell your approach is possible today, even while official contract don't have Overall, it looks like political decision. Impossibility to deploy the contract after the state is initialized makes the contract less useful, but a little bit more "safe". The main question is how wallet should process this, and it shouldn't kill accounts in any way. :) |
near/near-wallet#2387