Last night, Avihu Levy, Head of Product from StarkWare, and Louis Guthmann, a product manager and researcher on Avihu’s team, reported a bug to our team regarding the way Loopring Exchange’s frontend generates EdDSA keypairs for users based on their trading passwords. We have confirmed it is a valid bug, and very much appreciate the responsible disclosure.
To alleviate any concern, please know all funds are safe, however user action is required to reset your trading password on Loopring Exchange if you want existing or future orders to be matched.
In our frontend code, we did an extra hashing of the user’s trading-password before generating his/her EdDSA keypair. Unfortunately, the hash ended up being limited to a 32-bit integer space which makes enumeration of all users’ EdDSA keypairs possible. This is certainly a critical security issue.
The EdDSA keypair is used for signing off-chain requests as it is much more SNARK-friendly. These off-chain requests include orders and off-chain withdrawals.
If a user’s EdDSA keypair were to be compromised, the hacker can place an order to sell the compromised user’s asset on our orderbook at a very low price, and profit by being the buying counterpart. In a low liquidity situation, those orders would eventually match.
Besides trades, a hacker could also have made off-chain withdrawal requests, but funds will only be transferred to the account’s rightful owning Ethereum address, not to an arbitrary address the hacker designates. This is a security feature the Loopring protocol offers to handle exactly such key-leaking scenarios.
Your Ethereum account is secure
This bug has nothing to do with your Ethereum accounts or their ECDSA keypairs. The Loopring protocol and Loopring Exchange have no access to your Ethereum ECDSA keypairs at all.
On one hand, we have improved the way we derive EdDSA keypairs. We have deployed a new version to production.
On the other hand, we have stopped order matching for all existing users until they have changed their trading passwords and thus updated their EdDSA keypairs. Deposits and withdrawals have and will continue to work as normal.
Action to be taken by users
All users should reset their passwords before their orders can be matched.
You can even use the same trading password, we just need a new password-reset Ethereum transaction.
To make sure you are using a frontend version with the bug fix, please hover over the Beta1 label on the top-left corner and make sure LAST_COMMMIT is NOT
If you still see the old commit hash, please force your browser to reload our website. With Chrome/Firefox, you can: hold down Ctrl and click the Reload button; or, hold down Ctrl and press F5.
To reset your trading password: hover over the account button in the top right corner, and click ‘Reset Password’ from the slide out menu.
To reiterate, you will not be able to trade without changing your password.
Action to be taken by Loopring
We will start an internal security audit for our frontend codebase to make sure Layer-2 security is not overlooked at this product level. We will also consider open-sourcing our frontend code in the future.
We will also research in other means of generating layer-2 keypairs without relying on users’ brain passwords. One effort we have tried is creating an EdDSA MetaMask plugin which will come handy once MetaMask launch the plugin support.
To be clear, Loopring protocol itself is open source, audited, and unaffected by this bug. This was a bug on the Loopring Exchange frontend, and could have affected balances that were on said exchange via the trading attack mentioned above. Thankfully, it did not.
We apologize to our users for any inconvenience this bug may have caused.
We are grateful to Avihu Levy, Louis Guthmann, and StarkWare for reporting the bug in a professional and timely manner. Thank you.
Loopring is a protocol for building high-performance, non-custodial, orderbook exchanges on Ethereum using zkRollup. You can sign up for our Monthly Update, learn more at Loopring.org, or check out a live exchange at Loopring.io.