Vulnerability: From discovery to fix
Security is one of the cornerstones of any DeFi protocol. For this reason, Jigstack gives its best to ensure a top-notch level of security for its users, always seeking feedback and suggestions to improve.
After all, for a DeFi protocol to be worthy of such a name, it must meet the requirements of the Trilemma:
- Decentralisation
- Scalability
- Security
To this end, we discovered a vulnerability within our protocol and fixed it as quickly as possible.
How we discovered the vulnerability
The Jigstack discord community is full of novice users as well as very experienced blockchain players. Recently, a specialised member in Security analysis warned us about a security vulnerability on Jigstack.org.
He promptly opened a ticket through the support section and explained to us how potential attackers could have taken advantage of this flaw.
What was the vulnerability?
Simply put, the user explained that this was a web vulnerability.
A potential attacker could have exploited this vulnerability to steal funds from users’ wallets.
In short, the hacker takes control of the subdomain https://jwallet.jigstack.org/, using it to show fictitious APYs to users. For example, it could show a STAK/USDC/USDT staking pool with APY at 1000%, or create fake dApps to steal money from users who deposit.
Another example could be the creation of a fake download page for jwallet, requiring an update. By downloading the update, the user downloads related malware giving full control to the attacker.
In fact, the hacker can run fake pages to claim tokens through Metamask or other non-custodial wallets. All it takes is one click and the wallet is emptied.
This can happen even if the URL is checked and shows the “correct” jigstack.org page.
The fix
The Jigstack team, upon learning of what had happened, proceeded to fix this vulnerability issue so as to have a safer environment ecosystem for the entire community and its users.
However, we always encourage all users to report to us any problems or glitches they encounter so that we can ensure a better experience for everyone.
Acknowledgements
First and foremost, we want to thank the entire community and users of Jigstack for helping and supporting us on a daily basis
We really appreciate your ability to keep us up to date and to report any kind of issues so that we can work as a true extended family.
In particular, we are extremely focused on continuous improvement from a security perspective, which we think is at the very heart of any DeFi project.
Last but not least, we would like to thank krito#7509 for informing us about this vulnerability, has given us a way to fix it and make the whole Jigstack project a more secure protocol.
Sincerely,
The jigstack’s Team
About Jigstack:
Jigstack offers a suite of valuable flagship DeFi products governed as a single Decentralized Autonomous Organization (DAO), positioning the platform to be the DAO of DeFi. Jigstack is a one-stop shop for everything DeFi, offering an interactive and exciting interface for users. Our platform allows anyone to easily understand each product and interact with it, gaining maximum exposure to the DeFi ecosystem in a safe and effective manner.
Website | Twitter | Telegram Group | Telegram Channel | LinkedIn | YouTube | Discord
