Skip to main content

Dwallet Labs Says It Uncovered Infstones Validator Vulnerabilities Which Left $1 Billion in Staked Assets ‘Compromised’

Dwallet Labs Says It Uncovered Infstones Validator Vulnerabilities Which Left $1 Billion in Staked Assets 'Compromised'

Cyber security firm Dwallet Labs said on Nov. 21 that vulnerabilities it found on several Infstones (a validator company) validators a few months ago “meant over $1B of staked assets were compromised.” Infstones has acknowledged the existence of the vulnerabilities but says it “disagrees with the severity of the potential impact.”

Traditional Web2 Threats

According to the cyber security firm Dwallet Labs, a security research study initially showed that one validator belonging to Infstones had “a potential vulnerable entry point.” The security firm argued that the vulnerability, which was uncovered more than four months ago, highlights the still significant risks posed to validators by traditional Web2 threats.

To prove such a vulnerability could be used to launch a devastating attack, Dwallet Labs said it created its own node on Infstones “to run our own nodes and attack them.” This step enabled the security firm to gain “full control and extract keys.” By repeating this type of attack, Dwallet Labs uncovered more vulnerabilities. The security firm was subsequently able to affect over 1,000 Infstones servers and “to get full control, including extracting validator keys that are stored locally on the server.”

Vulnerabilities a Threat to Staked Assets

In a Medium post which details the findings of the security research, Elad Enerst, a security researcher at Dwallet Labs, explained that the research had “focused on attacking blockchain networks from a more traditional angle.” The plan, he said, was to treat validators as normal cloud servers and to attack them using what he described as classic techniques.

Meanwhile, in a social media post discussing the potential consequences if a bad actor were able to gain such control, Omer Sadika, the CEO at Dwallet Labs, said:

“The impact of the affected servers meant over $1B of staked assets were compromised, with validator keys that could be stolen for over 1.2% of the stake of Ethereum and 3.9% of Lido. Attackers could exploit vulnerabilities like these in many validator providers to extract keys until they get enough power to take over and/or censor networks.”

For Sadika and his team, uncovering the vulnerability demonstrates that despite having an air-tight smart contract, the infrastructure used to run such a smart contract or code can potentially create an “attack vector that allows for completely taking over the network.”

Infstones Says Appropriate Steps Already Taken

While Infstones has acknowledged the existence of a vulnerability uncovered by Dwallet Labs, the former reportedly disputes the latter’s assessment of “the severity of the potential impact.” According to a post shared by Cryptotag on X (formerly Twitter), Infstones believes the vulnerability found in 237 instances accounts for less than 0.1% of the live nodes it has launched to date.

Still, the social media post said Infstones has already resolved some of the issues raised by Dwallet Labs in its lengthy report.

However, in a later post following reports that Infstones had taken appropriate steps to resolve the issues highlighted by his firm, Sadika seemingly bemoaned Infstones’ attempt to downplay the problem.

“The worst way to handle a cybersecurity vulnerability is not taking responsibility and lying. We were super open and transparent with the goal of eliminating the risk to Web3. My take: it’s not about whether you are fully secure or not, because no one is, it’s about how you handle it and maintain the trust with your partners and customers,” Sadika stated.

What are your thoughts on this story? Let us know what you think in the comments section below.



from Bitcoin News https://ift.tt/1YAky2n
Labels:

Comments

Post a Comment

Popular posts from this blog

Mt Gox Creditors Updated, Trustee Says Rehabilitation Custodian Is ‘Currently Preparing to Make Repayments’

On August 31, 2022, the Mt Gox trustee Nobuaki Kobayashi explained in a recent letter that the rehabilitation custodian is “currently preparing to make repayments” to Mt Gox creditors. Trustee Updates Mt Gox Creditors — Repayment Date and Exchange Still Unknown Last week speculation and rumors concerning the release of 140K bitcoin ( BTC ) from Mt Gox littered social media platforms and headlines. Bitcoin.com News covered the situation six days ago as a number of people and Mt Gox creditors called the rumors “ fake news .” During that same period of time, a bitcoin whale transferred 10,000 BTC to unknown wallets, and a 2018 annotation , heuristics, and clustering methods show the funds likely originated from the June 2011 Mt Gox hacks. Following the mysterious whale transfer, last Wednesday, Mt Gox published an official update from the court trustee Nobuaki Kobayashi that explains the court is “currently preparing to make repayments” to creditors. Mt Gox creditors have been wait...
Post a Comment
Read more

International Crypto Exchange Luno Adds Bitcoin Cash Trading

Luno exchange has added bitcoin cash trading to the platform following feedback from its client base. BCH is now only the third cryptocurrency available for trading on the exchange, in addition to BTC and ETH , but more options could be on the way once Luno determines that they are credible enough. Also Read: Bitflyer Adds Bitcoin Cash Trading Across Europe and the US Luno Adds Bitcoin Cash Trading Luno, the London-headquartered company formerly known as Bitx, recently announced that bitcoin cash was made available on its cryptocurrency exchange. Starting from Monday, September 23, customers at Luno are now able to store, buy and sell BCH on the platform. The reason given for adding BCH to the exchange is feedback from users in developing markets that convinced Luno to expand their offering from previously just BTC and ETH . Marcus Swanepoel, CEO of Luno, said , “We are in a new and exciting financial era. Developing economies are leading the large-scale adoption and appli...
Post a Comment
Read more

DefiDollar Listing on AscendEX

PRESS RELEASE. AscendEX, formerly BitMax, an industry-leading digital asset trading platform built by Wall Street quant trading veterans, has announced the listing of the DefiDollar Token (DFD) under the pair USDT/DFD on Apr 29 at 1:00 p.m. UTC. DefiDollar is a DeFi lab that aims to bring mass adoption to DeFi with a wide-ranging product suite. The first product offering to go live will be the stablecoin index – DUSD, with ibBTC and optionCoin currently in development. DefiDollar (DUSD) aspires to be a risk-insured stablecoin layer for DeFi. It is designed to provide a safe and stable way for users to hold their assets with DUSD being optimized for peg safety, yield, and diversification. DefiDollar uses DeFi primitives to stay close to the dollar mark. DUSD provides an avenue for diversifying stablecoin holdings to hedge against an event where the underlying stablecoins like Tether or DAI deviate from their peg. DUSD is collateralized by Curve Finance LP tokens. DFD is the n...
Post a Comment
Read more