More than a billion dollars of crypto assets have been placed in jeopardy due to poor server configuration. That’s the takeaway of a forensic investigation into the security practices of leading Proof of Stake validators. Authored by Elad Ernst, a cyber security researcher at dWallet Labs, the report highlights particular failings by blockchain infrastructure provider InfStones. dWallet Labs researchers were able to execute commands with root privileges on more than 450 servers, many of which were being used to run validators.
Invalidating Web3 Security
Validators form a critical part of blockchain infrastructure, operating at the protocol level on Proof of Stake (PoS) chains such as Ethereum. They are tasked with verifying network transactions and can be rewarded – or penalized – for the quality of their work. On certain networks, validator private keys also hold cryptocurrency, making them a lucrative target for sophisticated attackers.
There has never been a wide scale hack of validators on an established layer1. The dWallet Labs research team came extremely close, however, and could have stolen millions of dollars of cryptocurrency had they been nefarious actors. Instead, the white hats acted diligently and reported the vulnerabilities they discovered. The begrudging response from InfStones has been met with short shrift by the dWallet Labs team.
The Making of a Mega Exploit
“The billion dollar exploit” is a highly clickable headline describing a very real threat. While no crypto assets are believed to have been stolen using the exploit, this is thanks only to dWallet’s responsible disclosure. Had knowledge of the attack vectors fallen into the wrong hands, it could have been a different story.
Sponsored
While the vulnerability dWallet Labs researchers uncovered attacks web3, the weakness lies in web2 infrastructure. Elad Ernst explains: “The basic idea is to treat blockchain networks’ central servers (validators) as regular cloud servers and attack them using classic techniques. A chain of vulnerabilities we discovered and exploited during our research allowed us to gain full control, run code and extract private keys of hundreds of validators…potentially leading to direct losses equivalent to over one billion dollars in cryptocurrencies such as ETH, BNB, SUI, and APT.”
It’s hard to envisage a crypto attack of greater magnitude or severity, given that it strikes at the very foundations of blockchain architecture. But how close were the researchers to being in a position to pull the trigger? In the case of validator provider InfStones, the answer is “very.” The report claims at least 1.2% of Ethereum’s total stake could have been stolen, comprising the entire portion overseen by InfStones.
Security Is All Relative
In its report, dWallet Labs takes issue with InfStones’ claims that its validators are “100% secure.” Not only is total security a myth, but there are clear security issues with InfStones’ infrastructure configuration as the dWallet Labs researchers painstakingly show. Its founder Omer Sadika summarizes, “We created our own node on InfStones to run our own nodes and attack them. We were able to take full control and extract keys. Over 100 live servers were vulnerable in this way.”
Sponsored
He continues: “Attackers could exploit vulnerabilities like these in many validator providers to extract keys until they get enough power to take over and/or censor networks. These attacks would also be almost impossible to detect until it’s too late.”
Despite the seeming severity of the attack, InfStones has downplayed its seriousness in a blog addressing the issue, stressing that no client funds were lost. It also notes that it has “engaged accredited external auditors to assess our system and organization controls.” Omer Sadika didn’t mince his words in response, tweeting: “The worst way to handle a cybersecurity vulnerability is not taking responsibility and lying.”
Severe as the threat evidently was, mercifully no validators were compromised or crypto assets stolen on this occasion. Hopefully, dWallet Labs’s security report will serve as an eye-opener to all web3 protocols, particularly those running validators. If it could happen to InfStones, it could happen to any infrastructure provider. A system is only as strong as its weakest link. And for web3 projects, that weak link is proving to be web2.
