HODLX Guest Post Send your post
Zero day without events in the defi area. This time, a vulnerability vulnerability was widely used in a ‘elliptical library’.
What makes the rights worse Exploitation can lead to pirates of computer pirates to seize the control of users and evacuate wallets.
Through a simple fraudulent message signed by a user. Is this a critical problem?
The first thing to consider is that libraries such as elliptics provide ready -made code components to developers.
This means that rather than writing the code from scratch and controlling the elements that developers need.
While it is considered a safer application, the libraries are used continuously and tested, since this experiences a vulnerability, it also increases the risks.
The elliptical library is widely used throughout the javascript ecosystem. Many well -known Blockchain projects strengthen encryption functions in web applications and security systems.
According to NPM statistics, the package containing error has been downloaded about 12-13 million times a week and more than 3,000 projects are directly addictive.
This wide use implies that the vulnerability affects a large number of applications potentially. Especially crypto currency wallets, blockchain nodes and electronic signature systems as well as any service based on the signatures of ECDSA via ecdsa, especially when using inputs provided externally.
This vulnerability allows distant attackers to fully jeopardize sensitive data without appropriate authorization.
So the problem got a very high violence score Approximately nine out of 10 out of CVSS scale.
It is important to state that benefiting from this vulnerability requires a very specific sequence of action and that the victim should sign the arbitrary data provided by the attacker.
This means that some projects may remain safe if an application only signs predetermined internal messages.
Nevertheless, many users do not pay much attention when signing a message through crypto wallets, as they have signed a transaction.
When a Web 3.0 site asks users to sign service conditions, users usually neglect to read them.
Similarly, users can sign a message for an air drop without fully understanding the results.
Technical Details
The problem stems from the fact that the ECDSA (elliptical curve digital signature algorithm) is not properly handled errors during the creation of signatures.
ECDSA is widely used to verify that messages such as blockchain operations are real.
You need a hidden key to create a signature Only the owner knows this And a unique random number called ‘nonce’.
If the same nonce is used more than once for different messages, someone can understand the hidden key using math.
Normally, the attackers cannot understand the special key from one or two signatures, because each uses a unique random number (Nonce).
But the elliptical library has a flaw It takes a strange type of input (such as a special string instead of the expected format), can create two signatures with the same nonce for different messages.
This error can reveal the special key that should never happen in the use of appropriate ecdsa.
An attacker needs two things to take advantage of this vulnerability.
- A valid message and signature from the user For example, from previous interactions
- The user will sign a second message clearly created to take advantage of the vulnerability.
With these two signatures, the attacker can calculate the user’s special key and gain full access to funds and actions related to it. Detailed Information Github Security Consultancy.
Exploitation scenarios
The attackers can use this vulnerability in various ways, including the following.
- ID Hunt attacks that direct users to fake websites and ask for messages signatures
- Malicious DApps (Non -central applications) hidden as harmless services such as signing the conditions of use or participating in AirDrops
- Social engineering users convince us to sign up harmless messages
- To sacrifice the special keys of the servers that sign messages from users
In particular, a relevant aspect is the generally loose attitude of users to sign a message compared to transactions.
Crypto projects often ask users to sign service conditions or Airdrop participation messages and potentially facilitate exploitation.
So think Can you sign a message to request free coins? If this signature can cost you all your crypto balance?
Suggestions
Users should immediately update all applications and wallets using the elliptical library to the last secure version for signatures.
Pay attention to signing messages, especially from non -familiar or suspicious sources.
Wallets and applications developers should verify elliptical library versions.
If any user may be affected by vulnerable version, developers should inform them about the need for urgent update.
Gleb Zykov is the founding partner and CTO Hashex Blockchain Security. It has more than 14 years of experience in IT industry and more than eight years of experience in internet security and a strong technique in Blockchain technology (Bitcoin, Ethereum and home -based blockchains).
Follow us Twitter Facebook Telegram
Waiver: The opinions expressed in daily HODL are not investment advice. Investors should make status determinations before making high -risk investments in Bitcoin, crypto currency or digital assets. Please your transfers and transactions are in your own responsibility and any loss you may be exposed to is your responsibility. Daily Hodl does not recommend that any crypto currency or digital assets be purchased or sold or that Daily Hodl be an investment consultant. Please note that daily HODL has participated in affiliate marketing.
Created image: Dalle3
