The researchers conducted an in-depth analysis of blockchain security, focusing on a less explored aspect— the security of the central servers, known as validators, that support blockchain networks. These validators were provided by InfStones, a company offering staking services on various blockchain protocols.
The researchers discovered a chain of vulnerabilities that allowed them to compromise the security of these validators. The research team adopted a distinctive approach, treating blockchain validators as conventional servers and delving into classical hacking techniques.
The vulnerabilities unearthed not only granted control over these validators but also enabled the execution of code and extraction of private keys, potentially leading to losses surpassing one billion dollars in various cryptocurrencies, including ETH, BNB, SUI, and APT, among others.
https://twitter.com/omersadika/status/1726940679849287950?embedable=true
They initiated their investigation with the Sui blockchain network, known for its robust security. Using an API call on the Sui Explorer, they obtained a list of active validators and IP addresses. Further investigation led them to a specific server managed by InfStones, which piqued their interest.
The targeted server had an open port (55555/tcp) running an open-source Tailon tool, designed for reading log files. Exploiting a vulnerability in Tailon, the researchers gained Remote Code Execution (RCE) on the Sui validator.
Tailon ran as a root user, giving the researchers significant privileges.
They exploited this initial entry point and extended their attack to other InfStones servers using a similar setup. Through a Censys search, they identified close to 80 servers with the same Tailon service. However, some servers required basic authentication for access.
To overcome this, the researchers created an account on the InfStones platform and, through their investigation, discovered an API that acted as a proxy connecting to Tailon. By setting up their server and using the proxy, they obtained credentials that allowed them to authenticate on servers requiring basic authentication.
Having gained control of around 80 nodes, the researchers reported the initial vulnerability to InfStones in July 2023. They found AWS credential files on all servers during their exploration, indicating that InfStones downloaded blockchain network binaries from S3 buckets.
The compromised credentials had read access to the buckets and write access, enabling potential manipulation of the binaries.
Further exploration uncovered a service running on port 12345 named "infd." The researchers identified that this service ran as a root user by exploiting a command injection vulnerability in the "upgrade" route. However, JWT authentication posed a challenge.
The researchers discovered a server with a specific CloudProvider setting that allowed them to bypass JWT authentication and exploit the command injection vulnerability. This server was identified as the InfStones Aptos validator, which staked approximately 150 million dollars.
The impact of these vulnerabilities was substantial. An attacker exploiting these flaws could acquire the private keys of validators across various blockchain networks, potentially leading to the slashing of validators, withdrawal of staked funds, or theft of staking rewards. The affected validators represented a significant portion of the Ethereum network and Lido, a major operator in the space.
The researchers responsibly disclosed their findings to InfStones and communicated the potential impact of the vulnerabilities. InfStones claimed to have remediated the issues, and the researchers agreed to delay public disclosure to allow time for remediation efforts and key rotation.
Lido DAO has acknowledged the reported vulnerability and is actively collaborating with InfoStones to address the identified issues. The focus is on rectifying the problem specifically related to Ethereum nodes within InfoStones' infrastructure.
While progress is being made in addressing the Ethereum-related concerns, there remains uncertainty regarding the extent of the impact on Lido's validators and other networks mentioned in dWallet's comprehensive report. The collaborative effort aims to thoroughly investigate and mitigate any potential repercussions arising from the vulnerabilities.
This study highlighted a gap in the accountability and responsibility related to the security of blockchain network validators. While considerable resources are invested in code quality and smart contract security, the security of validators is often considered out of the scope of bounty programs, creating a potential entry point for attackers.
The researchers emphasized the need for increased focus on the security of validators, crucial components of blockchain networks.
Looking Forward
Users can take several actionable steps to enhance the security of their involvement in blockchain networks and technologies. First and foremost, it is crucial to stay informed about the ever-evolving security landscape of blockchain networks.
Following reputable sources, security researchers, and organizations regularly sharing insights and updates will help individuals and organizations avoid potential risks and vulnerabilities.
If you are involved in staking or operating nodes on blockchain networks, diversifying your validator services is a prudent strategy. Relying on a single service provider increases the risk of vulnerabilities or attacks.
Furthermore, regular security audits of the infrastructure are essential. These audits should go beyond the assessment of code and smart contracts, extending to the security of the validators supporting the network.
Implementing multi-factor authentication (MFA) is another critical measure. Enabling MFA on all accounts and services related to blockchain operations adds an extra layer of security, mitigating the risk of unauthorized access.
Security awareness training for personnel managing blockchain infrastructure is equally important. It ensures that individuals are well-informed about potential threats, common attack vectors, and the best security practices.
In the event of discovering vulnerabilities in blockchain networks or services, it is advisable to follow responsible disclosure practices. Promptly notifying the affected parties and collaborating with them to address the issues before public disclosure can minimize potential harm.
Additionally, regularly reviewing and auditing the configurations of cloud services used in blockchain operations is vital. This includes securing services, closing unnecessary open ports, and appropriately configuring access controls.
Recognizing the critical role of validators in the security of blockchain networks is essential. Encouraging blockchain projects and organizations to include validator security as part of their security programs and bug bounty initiatives can contribute significantly to a more secure ecosystem.
Continuous monitoring for unusual activities and unauthorized access on validator nodes is also recommended. Early detection of suspicious behavior can prevent or minimize the impact of security incidents.
Finally, supporting initiatives that advocate for comprehensive security programs in the blockchain space and the inclusion of validator security in bounty programs will contribute to addressing potential vulnerabilities effectively.