On May 7, Blockchain scalability and privacy specialist, Starkware, discovered a critical security vulnerability in the frontend wallet of Loopring’s decentralized exchange. This bug placed all $5 million worth of the exchange’s funds at risk.
Starkware alerted Loopring, who shut down the exchange and swiftly fixed the bug.
Potential attacker could create all user account keys
The vulnerability arose because Loopring users have two keys; an Ethereum key and a proprietary account key. However, the frontend wallet used a 32-bit integer to derive each user’s private key. This could have potentially allowed an attacker to reproduce every key on the platform.
After Starkware demonstrated the flaw to Loopring, the exchange sprung into action, immediately closing down the platform while a fix was put in place.
Loopring users’ Ether (ETH) account keys were not exposed by the vulnerability.
Pats on the back all round
Loopring announced that it has since patched the security flaw by strengthening the method by which keypairs are produced. It has also stopped order matching from existing users until they have changed their trading passwords, and hence updated their keypairs.
Loopring confirmed that no user funds were lost due to the vulnerability, and commended Starkware for its responsible disclosure. Starkware in turn, praised Loopring for its professional and timely response in dealing with the bug.
The fact that it was identified, communicated and fixed before the general public found out shows both the solidarity of the Decentralized Finance (DeFi) community, and how it has developed in recent years.
Ross Middleton, CFO of DeversiFi, which is soon to launch a new platform in collaboration with Starkware, explained the importance of this:
“If non-custodial decentralised exchanges want to take on exchanges like Binance and Kraken then they [must] demonstrate that their technology is just as safe or safer to use than existing options. Starkware’s quick discovery of a vulnerability in Loopring is an example of how much DeFi has matured in handling exploits.”