# Harmonize 1.7 (November 13, 2022)

Welcome to the November 2022 release of Harmonize. This 1.7 version brings many updates that we hope you'll enjoy. Here are some of the major new features:

- [Platform](#platform)
  - [ERC 721 support](#erc-721-support)
  - [Integration of WalletConnect Bridge v1](#integration-of-walletconnect-bridge-v1)
  - [New user experience for submission and approval](#new-user-experience-for-submission-and-approval)
  - [New simplified way to transfer funds](#new-simplified-way-to-transfer-funds)
  - [Sign manifest with your accounts](#sign-manifest-with-your-accounts)
  - [Additional enhancements](#additional-enhancements)
  - [Helm charts](#helm-charts)
  - [Miscellaneous](#miscellaneous)


For information about distribution and deployment of this version, see [Distribution and deployment](#distribution-and-deployment).

**The next version will be the first release of Harmonize to have APIs removed** after the depreciation period. We invite you to go to the [versioning page](/products/custody/support/release-management) to check that you would be ready for 1.8. We remain at your disposal to assist you.

## Platform

### ERC 721 support

We've added a new module allowing you **to store your NFT collections** on Harmonize securely.
Whether it’s crypto punks, your customers' NFT cars, or other digital artworks, you now have the ability to admire and transfer them from our beloved web application.

### Integration of WalletConnect Bridge v1

To complete our Web 3 initiative, you can now **connect Harmonize to dApps** through **WalletConnect**.
To help you with this, we've developed a new dedicated personal area, where you just have to choose an account and connect the dApp you want. You'll see, it is prodigiously easy to use it.

### New user experience for submission and approval

We have also started to work on a long, but necessary, project: the redesign of **the user experience to submit and validate intents, both on the web and on the mobile apps**. Our objective: to make the approvals more digestible, user friendly, and then, more secure!

This is what we achieved in this iteration. We hope you will enjoy it and we look forward to receiving your feedbacks.

### New simplified way to transfer funds

The ability to act on all the specificities of the different blockchains can make governance complex for simple financial transfers.

This is why, we've created a **new unique and intelligible intent to process a financial transfer** that you can easily control with a unique approval workflow.

You choose a sender account, a recipient and an amount. And voilà!
After that, we take care of transforming your transfer intent into the language of the target blockchain, be it for native currencies or tokens.

You can find all the details about this new feature in our documentation.
*N.B This feature is only available on the API for the moment and the web version is planned for 1.8.*

### Sign manifest with your accounts

Nowadays, there are multiple use-cases where you would have the need to sign an arbitrary payload with your account keys:

- For Web3 requirements,
- To use wallet proof as authentication token,
- To do some specific actions that Harmonize doesn't support (e.g Withdraw an airdrop, or after an hard fork).


For these reasons, we added a **new type of intent that allows you to create a workflow with different levels of security** (controlled and uncontrolled) and retrieve this information via the API.

You can find all the details about this new feature in our documentation.
*N.B This feature is only available on the API for the moment and the web version is planned for 1.8.*

### Additional enhancements

### Helm charts

We have listened to your feedbacks and we have worked to ship Harmonize with **a new Helm chart suite** allowing you to deploy Harmonize with less configuration and with more capabilities (e.g multiple indexers/chains).

The old packaging will still be supported in version 1.7 and dropped for version 1.8. We remain available to assist you for migrating your deployment flow.

### Miscellaneous

- **Web app:** you can now release from quarantine multiple transfers at once from the account page.
- **Flows**: you now have access to more context in the governance workflow conditions.
- **API only**: The `/intents/{intentId}/remaining-users` API operation has a new filter on user lock status.
- **API only**: A new `/intents/dry-run` API operation has been introduced to allow pre-validation of intent prior to submission, only a subset of intent types are currently supported on 1.7.0


## Distribution and deployment

### Metaco SaaS

Like all new minor releases of Harmonize, this version 1.7 will be rolled out (outside local working hours) in different phases:

- **Integration** environments: **14th November**
- **UAT** environments: **16th November**
- **Production** environments: **23th November**


A downtime of less than 30 minutes should be expected.

## Read Access Privilege escalation vulnerability HMZ-2023-03-30

### Description

Metaco actively supports and advocates for **client based** pentests to proactively identify and rectify vulnerabilities. A recent security audit identified a vulnerability in the authentication server that would enable a user that already has access to Metaco Harmonize to exploit API read-only access of other users who have proposed, approved or rejected an intent on Metaco Harmonize. If successfully exploited, read-only access can be gained to domains that they should not have access to in the same instance. To the best of our knowledge, this vulnerability has never been exploited. Metaco has taken immediate action to address the issue.

### Severity

The vulnerability is assessed to be of LOW severity based on the standard CVSS ([Common Vulnerability Scoring System](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)) matrix, but Metaco treats it as MEDIUM as it could allow an unauthorized user to break some key segregation principles across domains.

#### Likelihood

- This vulnerability is only exploitable by users who already have access to the platform and with privileges to read intents (ie: a malicious user attack);
- The user can only escalate its privileges with intents existing in its current domain, possibly originating from a parent, but not from a sibling domain;
- An intent corresponding to the expected privilege escalation can only be used once (challenges cannot be replayed).


#### Impact

Successful exploitation of this vulnerability can only affect a user's read access to data belonging to other domains. The privilege escalation cannot be used to create/replay transaction requests, gain additional approval privileges, etc. on the Harmonize platform.

### Advisories and Solutions

#### Known Affected Software Configurations

Harmonize up to version **1.7.24**

#### Fixed Software Configurations

Harmonize version **1.7.25** or above

Metaco recommends all on-prem clients update their Metaco Harmonize instance as soon as possible. Those leveraging the Metaco SaaS offering receive the fix automatically in the next maintenance window.