Thread
So I found a ZERO-CLICK vulnerability in @argentHQ allowing an attacker to steal all the funds out of all wallets without any user action or interaction ☠️
Just iterate over wallets and steal funds, easiest 💰
Now that user funds are safe, I can share the story 👇
Just iterate over wallets and steal funds, easiest 💰
Now that user funds are safe, I can share the story 👇
2/x
I was working on our smart contract for #Starknet and noticed an issue with a new way Contracts are expected to verify transactions
First I made sure that Braavos's smart contract is safe, then I decided to verify that Argent did not overlook this subtle issue..and BOOM!
I was working on our smart contract for #Starknet and noticed an issue with a new way Contracts are expected to verify transactions
First I made sure that Braavos's smart contract is safe, then I decided to verify that Argent did not overlook this subtle issue..and BOOM!
3/x
I was able to issue a transaction on a test Argent Wallet WITHOUT ANY SIGNATURE on a *Mainnet* wallet!
Here is the transaction on Mainnet:
starkscan.co/tx/0xe822d983f9c5d3ff320037812633435edcd71afa725e16d84af700973b0da
I was able to issue a transaction on a test Argent Wallet WITHOUT ANY SIGNATURE on a *Mainnet* wallet!
Here is the transaction on Mainnet:
starkscan.co/tx/0xe822d983f9c5d3ff320037812633435edcd71afa725e16d84af700973b0da
4/x
Details 👇
On StarkNet, with account abstraction built-in to the protocol - the responsibility of the signature verification logic moves from the blockchain OS to the account smart contract.
Details 👇
On StarkNet, with account abstraction built-in to the protocol - the responsibility of the signature verification logic moves from the blockchain OS to the account smart contract.
5/x
This is extremely powerful, as it allows for an arbitrary verification logic (among other things).
But as they say, with great power comes great responsibility 💪💪
This is extremely powerful, as it allows for an arbitrary verification logic (among other things).
But as they say, with great power comes great responsibility 💪💪
6/x
up until the latest StarkNet OS release (v0.10.x) the chain supported transaction ‘v0’ in which the account contract main execution code was responsible for calling the signature verification process.
up until the latest StarkNet OS release (v0.10.x) the chain supported transaction ‘v0’ in which the account contract main execution code was responsible for calling the signature verification process.
7/x
From v0.10.x the verification is still done by the account smart contract, but the responsibility to call it moved to the protocol itself.
From v0.10.x the verification is still done by the account smart contract, but the responsibility to call it moved to the protocol itself.
8/x
for the transition period, the protocol continued to support both transactions v0 and v1. Thus, the account contract should expect transactions from both versions (though it does not have to support both).
for the transition period, the protocol continued to support both transactions v0 and v1. Thus, the account contract should expect transactions from both versions (though it does not have to support both).
9/x
The problem with Argent contract was that it tried not to support tx v0, but performed the check in the wrong place - in the validation function that is only called by the StarkNet OS for tx v1.
So tx v0 could have been executed with no signature validation 😱😱
The problem with Argent contract was that it tried not to support tx v0, but performed the check in the wrong place - in the validation function that is only called by the StarkNet OS for tx v1.
So tx v0 could have been executed with no signature validation 😱😱
10/x
Realizing the severity we IMMEDIATELY reported the issue to the Argent team and a fix was issued within a few hours.
In addition, we advised the Starkware team on a quick patch to the OS, so this specific attack to Argent accounts will get blocked immediately
Realizing the severity we IMMEDIATELY reported the issue to the Argent team and a fix was issued within a few hours.
In addition, we advised the Starkware team on a quick patch to the OS, so this specific attack to Argent accounts will get blocked immediately
11/x
This vulnerability is a subtle one that is easy to overlook, but has devastating consequences.
If we hadn’t found the issue so quickly, or if the Argent team did not issue a quick fix, a potential attacker could easily drain all funds from Argent accounts.
This vulnerability is a subtle one that is easy to overlook, but has devastating consequences.
If we hadn’t found the issue so quickly, or if the Argent team did not issue a quick fix, a potential attacker could easily drain all funds from Argent accounts.
12/x
This incident reaffirmed my strong belief that good and extensive tests are a must! It is a tiresome process, but can save a lot of time and in crypto case also lots of money getting lost.
So, my reco. is TEST TEST TEST (and then TEST some more!)
This incident reaffirmed my strong belief that good and extensive tests are a must! It is a tiresome process, but can save a lot of time and in crypto case also lots of money getting lost.
So, my reco. is TEST TEST TEST (and then TEST some more!)
13/x
Happy we had a happy ending here and we can continue as an ecosystem to work towards a better crypto experience.
Smart contract wallets are key for this and can really onboard the next cohort of people to Crypto.
Follow us in our journey @myBraavos 🚀
Happy we had a happy ending here and we can continue as an ecosystem to work towards a better crypto experience.
Smart contract wallets are key for this and can really onboard the next cohort of people to Crypto.
Follow us in our journey @myBraavos 🚀
14/x
Here's the nitty gritty:
medium.com/@braavos_starknet_wallet/zero-click-argent-contract-vulnerability-420740cc07eb
Here's the nitty gritty:
medium.com/@braavos_starknet_wallet/zero-click-argent-contract-vulnerability-420740cc07eb
Mentions
See All
sharesocial @sharesocial
·
Oct 4, 2025
- Post
Hướng dẫn đăng ký và nhận khuyến mãi tại Nhà Cái Au88
Trong những năm gần đây, ngành giải trí trực tuyến tại Việt Nam phát triển mạnh mẽ, đặc biệt là mảng cá cược và game đổi thưởng. Người chơi không chỉ tìm kiếm những phút giây thư giãn mà còn mong muốn có được sân chơi uy tín, an toàn và công bằng. Giữa hàng trăm nhà cái trên thị trường, Nhà Cái Au88 – Sân chơi cá cược uy tín hàng đầu tại Việt Nam đã nhanh chóng khẳng định được vị thế và thu hút đông đảo hội viên tham gia.
Thông tin liên hệ:
Địa chỉ: 123 Nguyễn Văn Linh, Phường Nam Dương, Quận Hải Châu, Đà Nẵng
Điện thoại: +84 792 111 456
Email: support@au88vina.com
Trang web: https://au88vina.com/
https://caf.vass.gov.vn/noidung/hoidap/Lists/DanhSachCauHoi/DispForm.aspx?ID=32624
http://www.monofeya.gov.eg/citizens/cases/Lists/List38/DispForm.aspx?ID=149133
https://www.kzntreasury.gov.za/Lists/FRAUD%20RISK%20ASSESSMENT%20QUESTIONNAIRE/DispForm.aspx?ID=466744