Flow Port Ledger Bug Disclosure - March 11, 2021

Announcements Flow Ecosystem
1

Hi Flow Ledger users,

Yesterday (March 10), the Flow team was made aware of an issue in the Flow Port Ledger companion app that required us to temporarily disable Ledger logins in Flow Port. We have now updated Flow Port with a fix and re-enabled Ledger.

This issue does not compromise the security of your Ledger device. Application logic present in the Flow Port Ledger web interface created a scenario in which it was possible for Flow Port to display a Flow address that was no longer controlled by the user. This scenario, described below, could only occur when using advanced passphrase security on your Ledger; if you don’t use passphrases, you are unaffected.

The Problem

  1. A user opens the Ledger Flow app with a passphrase enabled on their Ledger device.
  2. The user connects their Ledger to Flow Port, which reads the public key reported by the device. If this is the first time the device is being used with Flow Port, it will create a new Flow account linked to the provided public key.*
  3. The user is then prompted to save the address in a storage slot on their Ledger device.
  4. After this, the user decides to change or remove the passphrase and throws away (or forgets) the old passphrase. This resets the private and public keys used by the device.
  5. At this point, the Ledger app still has the old address saved, even though it is not linked to the device’s new public key.
  6. The user logs back in to Flow Port, but this time the web app sees that a Flow address already exists and reads it directly from the device storage slot.
  7. Here’s the problem: Flow Port displays this address to the user without indicating that it does not match the public key on the device. Furthermore, the user may not notice that the Flow address didn’t change, especially if they haven’t used their Ledger for a significant period of time.
  8. They then send funds to this address, but unbeknownst to them, they no longer have access to the account because the original passphrase was discarded.

If you think that the above scenario may describe your usage patterns, please contact the Flow team immediately at security@onflow.org.

*Unlike on other blockchains, Flow addresses are not derived from cryptographic public keys. Instead, each new address is generated in an on-chain transaction using a deterministic function defined by the Flow protocol.

The Solution

The Flow Port Ledger login panel has been updated to always read both the address and public key from the Ledger device. If the public key reported is not linked with the address on the Flow blockchain, the user is prompted to switch to the correct address.

If you are a user who frequently switches between multiple passphrases, you will be prompted to update your Ledger Flow address each time you change the device passphrase.

Ongoing Improvements

This fix prevents Flow Port from displaying misleading information to the user that may cause them to deliver assets to an address they no longer control. However, the Flow team is investigating ways to improve the linkage between Ledger keys and on-chain addresses for all future applications, not just Flow Port.

The Flow team takes these matters extremely seriously. Please do not hesitate to contact us with additional questions at security@onflow.org.