An update on an Argent X bug

The power of building in the open

Tagged

Julien Niset

Oct 3, 2024

Quick summary

  • We were made aware of a bug after the release of Argent X 5.0. The bug was resolved within 3 hours of disclosure. No accounts were impacted
  • The bug only impacted a small number of Argent X users who upgraded to the latest version. It did not impact our other products, including our mobile wallet services on L1 or zkSync.

Building in the open enables anyone to inspect and audit our code. This means that the wider ecosystem can transparently work together to help improve processes and identify bugs.

This week, we were made aware of a bug by the team at Braavos. Transparency is in our DNA, so we’d like to share some more information on what happened and how we fixed it. We would like to make it clear that no accounts were impacted.

What happened?

On Monday, we published release 5.0 of Argent X, supporting the new Cairo 0.10 version. Cairo 0.10 introduces a new transaction type and 2 new methods to the account interface: validate and validate_declare.

To support the migration of accounts from the old interface to the new interface, StarkNet 0.10 had to support legacy transactions for a short period of time.

Sending a legacy transaction to the new account caused the Cairo VM to bypass the validate method and therefore its security checks.

No accounts were impacted.

How we fixed it

Following the disclosure of the issue on Wednesday evening, we immediately deployed a new version of the account to StarkNet mainnet and released the patched version 5.0.3 of Argent X for Chrome and Firefox users. This release asks users to upgrade their accounts to the new version.

In parallel, we collaborated with the StarkWare team to deprecate legacy transactions on the impacted Argent X accounts. No accounts were impacted.

The power of building in the open

StarkNet is incredibly early, with a passionate developer community dedicated to growing the ecosystem, sharing a joint goal of making StarkNet the best it can be.

While the emergence of new wallets to StarkNet may appear to create rivalries. It’s a facade. We’re all working towards a common goal of making StarkNet the best it can be, as demonstrated by the bug disclosure coming from Braavos. We’d like to take this opportunity to publicly thank Braavos for bringing this to our attention.

This reaffirms the power of building collaboratively and in the open, as it meant that this bug was quickly identified and resolved.    

Next steps

While we appreciate upgrades can be an annoyance, for as long as StarkNet is in alpha (until regenesis), we can't guarantee that there won't be any more updates in the near future. These updates are necessary for the continuing process of improving StarkNet. After regenesis, updates will be much less frequent as Starknet matures and leaves the alpha phase.

There will be a further comprehensive audit of our contracts as well as a new bug bounty program in place once Cairo 1.0 is live before the full StarkNet launch.