The Billion Dollar Private Keys Exploit — Validators as Attack Vectors
A billion dollars’ worth of staked tokens could’ve been silently stolen if not for dWallet Labs’ preemptive investigation into validator infrastructure safety.
A simple check of the network’s server security revealed the neglected security of validators, which are crucial to Proof of Stake (PoS) blockchain infrastructure.
So much so that the most common and basic attacks used on Web2 cloud servers could result in a loss of one billion dollars.
dWallet Labs traced a chain of vulnerabilities back to InfStones, a validator infrastructure provider, which enabled them to gain full control, execute code, and extract private keys from hundreds of validators across multiple major networks.
Elad Ernst, the Cyber Security Researcher at dWallet Labs who led and broke the story, revealed that attackers could gain complete control over a network by targeting and collecting private keys from its validators.
With these keys, attackers could disrupt or take over the network entirely.
In total, at the very least, 1.2% of Ethereum’s stake could have been stolen through the theft of Ethereum validator private keys.
Worse, they hypothesize that if a malicious attack group like North Korea’s state-sponsored hacking group Lazarus were to exploit these vulnerabilities, they would have painstakingly waited to collect enough private keys to control the entire network and strike on what they call “judgment day.”
Here’s a breakdown of how they uncovered this could-have-been nightmarish scenario.
Step One — Controling 80 Nodes
DWallet Labs initially targeted the secure Sui blockchain network. After discovering an API call listing active validators, they found an open port (55555/tcp) which is owned and managed by “InfStones.” The validator infrastructure provider to many different blockchain networks aforementionned.
Investigating further, they found out that the an open port 55555/tcp lead to a open source tool called Tailon, allowing file reading and log monitoring.
Digging deeper, they identified a remote code execution (RCE) vulnerability in Tailon, granting them root privileges.
Root privilege refers to the highest level of access or authority on a computer system.
The root user has unrestricted access to all files, commands, and system resources, allowing them to perform any action on the system, including modifying system settings, installing or removing software, and accessing sensitive data.
Having root privilege is akin to having full administrative control over the entire system.
Assuming that if one server suffered from this vulnerability, more could be found, they used Censys, a search engine that provides insights into Internet-connected devices and networks, aiding in cybersecurity research and threat detection, to try and find similar servers.
They ultimately found nearly 80 vulnerable servers on Censys but faced authentication issues.
Creating an account on InfStones, they uncovered an API proxy exposing usernames and passwords in cleartext, granting access to all servers.
That’s how simple it was for dWallet Labs to seize control of approximately 80 nodes, including validators’ nodes, and execute code on each of them, if they so willed.
Ultimately, they would found out that poor server configuration enabled them to execute commands with root privileges on over 450 servers, a significant portion of which were used to run validators.
Step Two — Taking Over 450 servers
After their discovery they informed InfStones about the initial vulnerability and continued exploring.
They discovered AWS credentials on all servers, with write access to the S3 buckets:
“AWS credential files were detected on all servers. It appears that when Infstone initiates a new node, it downloads the blockchain network binaries from the S3 buckets.
We found, however, that the credentials stored on each server, do not only have access to read the S3 buckets, but also have access to write to them.
This means that an attacker can change the binaries in a bucket and run malicious code on the new nodes that are created using this platform.”
Additionally, they found a service named “infd” running on port 12345, enabling them to manage nodes.
Upon analysis, dWallet Labs found a command injection vulnerability in the “upgrade” route, which they exploited on one server.
They then uncovered an authentication bypass vulnerability, allowing them to run commands on over 450 servers, including validators across various blockchain networks.
This grants root privileges, enabling access to private keys and control over staked assets worth over one billion dollars.
At this point they could execute commands with root privileges on more than 450 servers across the globe, including many that are used as validators.
During their review of the affected servers, dWallet Labs detected many validators in different blockchain networks such as Ethereum, Sui, BSC, Avalanche, Aptos and more.
An attacker exploiting this vulnerability can acquire the private keys of many validators in many different blockchain networks.
Over one billion dollars of staked assets were staked on all of these validators, and such an attacker would have been able to gain full control of all of them.
Full step-by-step detailled breakdown is to be found here:
When a validator’s private keys are compromised, the attacker can cause significant harm to the blockchain network. They could manipulate transactions or propose conflicting blocks, leading to the validator being penalized or “slashed.”
This not only affects the validator but also impacts users who trust it for staking. Moreover, the attacker can withdraw staked funds or steal rewards, causing substantial financial losses.
For instance, in the case of InfStones Aptos validator, the attacker could have stolen around $145 million.
These vulnerabilities affect network integrity, especially considering the significant role operators like InfStones play in various blockchain networks, such as Ethereum and Lido.
Which explains why dWallet Labs argued that a malicious organized group could have caused considerable damage.
This research served as a violent wake-up call to the community, a necessary reminder that blockchain security is a layered edifice, in which traditional security and blockchain-focused security are two sides of the same crypto coin.
About Us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols, and asset managers from significant losses or threats through its monitoring tools.
Nefture’s core services include Real-Time Crypto Transaction Security and a Threat Monitoring Platform that provides accurate exploit detections and fully customized alerts covering hundreds of risk types, with clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions that mitigate threats and ensure the security of their wallets and transactions.
