Hexa Labs — A Security Analysis for Blockchain: August 2018

Image by Marina Rudinsky

The June-July analysis post got positive reviews from our clients, partners and different players in the blockchain community. I’ll hope this month post will serve the community as well.

This month was considerably quiet regarding published security breaches, we hope it will stay that way.

Monero and Altex.exchange (July 30, 2018)

Monero (XMR) is a cryptocurrency with a focus on confidentially and untraceability, it is the native coin of the Monero blockchain. Altex.Exchange is a small crypto-exchange.

Damage scale: Undisclosed, but was enough to shut down the exchange.

Attack vector: Software bug

What Happened

• Crafted transfer transactions exploited a display bug in the Monero’s wallet code, an open-source code.
• The exploit causes the wallet to display a double amount rather than the real amount which was sent — i.e if you sent 1 XMR in a crafted manner, the receiver would have seen you have send 2 XMR.
• Some Monero forks, such as ArQmA, were also influenced by this vulnerability.
• A researcher found the bug and contacted the Monero’s team via HackerOne platform at the beginning of June. Monero’s team released a fix at the end of July.
• Other Monero forks were notified too about this bug.
• At the beginning of July, Altex announced it suspends all CrypoNote based coins because of a bug in the wallet’s code.
• At the end of July, Altex published a tweet saying they’ve suffered from a double-counting bug. They suspended all trading on their platform.
• Since this tweet, no further update has been released by the Altex team — trading is still unavailable and a new registration is disabled.

Hexa Labs Thoughts

• As said in the previous post regarding the vulnerabilities found on the EOS platform, bug-bounty programs are great and empower the entire blockchain community.
• Even though other forks of Monero were notified about the bug, it was too late for the Altex exchange. It would be interesting to think about a decentralized mechanism which notifies trading platforms about such bugs that can siphon their wallets.

References: Altex.Exchange announcement about the losses, Report on the bug and fixation at HackerOne, Article by newsBTC on the case

Bitcoin Cash (August 10, 2018)

Bitcoin Cash is a cryptocurrency, a hard fork of the Bitcoin blockchain. It has the fourth biggest market capitalization according to CoinMarketCap.

What Happened

• BitcoinABC, an open-source and full-node implementation for Bitcoin Cash, in May released an official report on a critical vulnerability within their code.
• According to the report, a threat actor can construct a malicious transaction which would be accepted by a specific version of BitcoinABC but will be rejected by all other versions of Bitcoin Cash implementation.
• One possible result of such a bug would have been a fork of the Bitcoin Cash blockchain, since miners with the susceptible version would have accepted malicious transactions and other miners wouldn’t have.
• BitcoinABC states they have directly provided a patch to relevant mining pool operators.
• At the end of the report, BitcoinABC thanks the person(s) who disclosed the vulnerability and ask him or her to come forward and receive a reward.
• In August, a researcher at MIT Media Lab — Cory Fields — revealed himself as the person who notified BitcoinABC about the bug.
• Fields says he is involved in the Bitcoin Core project — Bitcoin primary software implementation.
• Because Bitcoin has lots of common code with Bitcoin Cash, Fields occasionally inspects the latter code in order to learn and deduce issues which might be relevant for Bitcoin Core.
• During one of Bitcoin Cash’s inspections, Fields saw that pieces of the transaction validation code were refactored. The review process of this change took a week and was done by two reviewers only. NOTE: Approve changes in such a critical code will usually involve more reviewers and last longer.
• Fields thought it would be interesting to see those changes. He says the critical bug was found in less than 10 minutes.
• He shared his thoughts about (1) anonymously disclosed the bug (2) in a secure manner (3) only to BitcoinABC developers. Anonymity to protect himself, and the last two to protect the Bitcoin Cash blockchain and value.
• He also mentioned he did it because he hopes that if someone will find a vulnerability in Bitcoin Core code, that someone would report it discreetly and securely as possible.
• Later on, he tried to anonymously contact BitcoinABC, but found it to be a difficult task — there was no bug disclosure policy and the BitcoinABC Github issue tracker specifically requests to “contact people privately.”
• In the end, he encrypted a detailed report to one of the BitcoinABC developers with the developer PGP public key. BitcoinABC decrypted the report and started to work on the fix.

Hexa Labs Thoughts

We brought this case up again because the post from August raised several points the community should pay special attention —

• The blockchain community is a supportive community: There are disagreements between Bitcoin and Bitcoin Cash crowds, but Fields who represents the Bitcoin community, understood the risks and implications of such a bug to Bitcoin Cash, and did what he could to protect the eco-system’s overall reputation and Bitcoin Cash holders.
• Update critical code: Mistakes happen all the time and it’s okay that they do from time to time, but when refactoring such a critical code, much greater time and effort should be invested on code review.
• Anonymous bug disclosure: It is important to protect the person who wishes to disclose the bug. He shouldn’t suffer any consequences in the event the bug was executed.
• Appropriate bug disclosure channels and schemes: The strange part is the fact that it wasn’t easy to get the attention of BitcoinABC developers. Fields had to ping them several times in order to get some attention. Blockchain projects should have clear and secure communication channels to report bugs and other security issues. Here’s an example.

References: Post by Cori Fields about the vulnerability and the disclosure process, Vulnerability report by BitcoinABC from May

Related Attacks

• This incident reminded me of the Parity multi-signature wallet bug from last November. During the Parity incident, someone triggered a “suicide” function in one of the multi-signature libraries and caused hundreds of thousands of Ether to stuck in those wallets. That loss of hundreds of millions of dollars could have been prevented, according to the official post-mortem post. This time, BitcoinABC and Bitcoin Cash holders were much luckier.

Bitfi Hardware Wallet (August 1, 2018)

BitFi is a global payments company which launched an “unhackable” hardware wallet for crypto-currency.

What Happened

• On June, Bitfi announced on Bitfi Wallet, the first “unhackable” hardware wallet.
• John McAfee, the creator of McAfee, the first commercial anti-virus software, had joined the Bitfi team and acknowledged the fact that the Bitfi technology is indeed unhackable.
• The wallet supports several crypto-currencies and has features such as automatic updates mechanism and online-dashboard.
• The security community wasn’t so pleased with the “unhackable” statement and some negative reviews started to appear on social media and other platforms.
• On July, Bitfi & McAfee announced a $100,000 reward to anyone who can hack Bitfi wallet — a Bitfi wallet loaded with $50 of BTC will be sent to people who will try to hack it. According to the announcement, if they’re able to get the BTC, a reward of $100,000 will be served.
• At the end of July, the reward was increased to $250,000.
• OverSoftNL, a research security firm, tweeted it had gained root access to the device, but didn’t prove it had access to the $50 of BTC the wallet holds. Social media went crazy about “the hack” of Bitfi.
• Neither Bitfi nor McAfee responded to OverSoftNL tweet.
• At the end of August, Bitfi removed the word “unhackable” from their website.
• The reward for hacking Bitfi has increased again to $20 million.
• As of the beginning of September, you can’t buy Bitfi from the official Bitfi website because it has sold out. The saga continues.

Hexa Labs Thoughts

• Indeed, it is a strange story. One of the basic axioms of security is that everything — and we mean everything — is hackable. The fact the John McAfee, a controversial character in the security community, makes a statement that his product is “unhackable” annoyed many. We will continue to follow this story.

References: Launch Bitfi wallet, reward is increasing to $250K, negative review on Bitfi, OverSoft announced root access to the wallet , Reward increasing to $20M, Bitfi remove unhackable claim from their site

More Interesting Blockchain Security Stories

• Cryptocurrency-stealing malware which targets Apple OS machines: A few years ago, Apple OS machines were considered “safer” than Microsoft and Linux systems. I hope you don’t still believe it. Don’t neglect security because you think Apple is more secure. There’s also a great MAC attack webinar by Cybereason, worth watching.
• Digital identity theft behind heist worth $23.8 million: A Cryptocurrency investor filed a lawsuit again AT&T because the telecom giant failed to protect the investor’s digital identity due to a SIM swap fraud. Who keeps $23.8M worth of crypto in a hot wallet controlled by a mobile phone?
• Boston man accused of stealing $2 million in cryptocurrency — more SIM swap frauds in the US.
• Massive Bitcoin theft in China — A massive cryptocurrency heist in northwest China. There’s not much technical information about it, expect the fact the arrested suspected were hackers since a young age :0
• Post on Blockchain and IoT Security-A brief readable post on the combination of blockchain and IoT to improve the latter security.

The Monthly Updates

The monthly security analysis delivers analysis and post-mortem on interesting blockchain security incidents and events in an executive-summary format. There are many posts on security incidents within the blockchain domain. Here, we’ll provide a high-level overview and try to focus on the essence, express Hexa Labs’ opinion and give references for further inspection.

About Hexa Labs

Hexa Labs is a blockchain solutions consultancy helping established large-scale consumer brands create their own fair and stable decentralised economies.

Among our clients you can find Zinc, PumaPay, COTI and other successful blockchain projects.

Visit us at Hexa-labs.com

Like what you read? Check out our GitHub projects and join the community:

orbs-network/orbs-network-go

orbs-network/orbs-spec

orbs-network/orbs-network-typescript

orbs-network/lean-helix-go

Join the Orbs community:

• GitHub: https://github.com/orbs-network
• Telegram: https://t.me/orbs_network
• Twitter: https://twitter.com/orbs_network
• Reddit: https://www.reddit.com/r/ORBS_Network/
• Read the Orbs white papers: https://www.orbs.com/white-papers