Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Unauthorized Account Permission Transfer via Update Permission Transaction #708

Closed
aghamir opened this issue Dec 21, 2024 · 3 comments

Comments

@aghamir
Copy link

aghamir commented Dec 21, 2024

Issue Details:

The current implementation allows for an Update Account Permission transaction to be exploited by hackers to completely take over the permissions of a victim's account. This means that once a malicious party gains access to perform this transaction, they can override the existing permissions, ruling the account and victim completely lost the control of account.

Recommendation:

In any situation, nobody can revoke control of an account from private key. Implementing this will prevent unauthorized parties from transferring or modifying account permissions, thereby maintaining the integrity and security of user accounts.

@xxo1shine
Copy link
Contributor

@aghamir Once the private key is lost, the account is completely out of control. In a multi-signature system, will the account become even less secure?

@laurenceja
Copy link

Private key, multi-signature, each way has its advantages and potential disadvantages. They complement each other's weaknesses. If privatekey can change account's permsision after the account being controlled by multiple ones , that means the multi-signature function is totally useless.

@vivian1912
Copy link
Collaborator

In fact, the same issue is discussed under #676 . So closed this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants