The Fireblocks research team recently discovered an ERC-4337 account abstraction vulnerability in the smart contract wallet UniPass. Fireblocks has partnered with UniPass to comprehensively mitigate vulnerabilities discovered in hundreds of mainnet wallets during a white hat operation. All funds are now safe and accounted for.

It is reported that this vulnerability allows an attacker to perform a complete account takeover of the UniPass wallet, activating the account abstraction module by replacing the trusted entry point of the wallet. Once the account takeover is complete, the attacker can treat the wallet as their own and drain all funds within it. Hundreds of users with ERC-4337 modules activated in their wallets are vulnerable to this attack, which can be performed by anyone on the blockchain. The vulnerability consists of 3 different issues that cannot be exploited individually, but when combined, can be exploited to gain owner-level access to the wallet.