Disclosure: Rare Bug in Umbra Resolved
February 18, 2022 / Ben DiFrancesco
This post is a disclosure of a bug in the Umbra web client which, in a rare set of circumstances, may have resulted in the loss of user funds.
Quick Take TL;DR
- A bug was found in the Umbra web client which, in a very specific and unlikely set of circumstances, could result in funds being sent to an unrecoverable stealth address.
- The feature which caused the bug was gated behind the "Advanced Mode" toggle and could not occur in "normal" usage of the Umbra web client.
- The bug was only present on Mainnet Ethereum-- Polygon users were never at risk.
- The bug was not related to Umbra's fully audited smart contracts nor to the core cryptography which underlies the Umbra protocol.
- The bug has been fully resolved, and only one instance of lost funds has been identified.
- The user that lost the funds has been fully refunded.
- As always, we take both disclosure of bugs and our responsibility to our users extremely seriously.
- We are grateful for the community's continued support of Umbra
Technical Details
As mentioned, the bug in question could only occur if the user had toggled the Advanced Mode flag in the Umbra client. In particular, the feature in question was the "Send using recipient's standard public key" check box, which allows the sender to specify a receiving address which has not previously configured Umbra. While this feature might be important for certain advanced users, its use is discouraged in the UI and Umbra's FAQ.
The feature in question works by recovering the public key for the receiver's Ethereum address from a prior transaction, and using that public key to generate a stealth address, rather than a public key published in the Umbra Stealth Key Registry.
The bug was introduced when Ethereum hardforked to add EIP-1559. In this hardfork, a new type of transaction was added. The new transaction type, referred to as "Type 2", requires a different deserialization format in order to recover the correct public key. The Umbra app did not take this into account. That meant Umbra would recover the wrong public key if a sender:
- Enabled advanced mode
- Checked "Send using recipient's standard public key" checkbox
- Specified a receiving address that had only sent EIP-1559 "Type 2" transactions
This combination of events was only possible on Mainnet Ethereum (and the Rinkeby testnet). Users of Umbra on Polygon were never at risk, even with Advanced mode enabled. Only one instance of this bug on Ethereum Mainnet has been identified. The user who lost the funds has been refunded.
For even more technical details, check out this pull request on GitHub.
Wrap Up
The safety of our users' funds is our highest priority when developing Umbra. While we regret the occurrence this bug, we are committed to transparent disclosure, and glad that its impact was extremely narrow.
One clear takeaway from this incident is that safe, audited, bug free code can still be rendered broken by changes to the underlying network. Moving forward, we are putting in place processes to ensure Umbra always functions correctly on every network where it's deployed, even as those networks themselves evolve and are upgraded.
As always, we appreciate your support. Umbra is a community funded project. We have a number of exciting things under development that we can't wait to share with you. We are eager to continue improving privacy preserving stealth addresses for the Ethereum ecosystem. There's lots left to build. Onward!