Hodlx Gastpost Submit your message
Zero days without incidents in the Defi space. This time the vulnerability was discovered in a commonly used ‘elliptical library’.
What makes it worse The exploitation can lead to hackers control over the private keys and draining user portfolios.
By a simple fraudulent message signed by a user. Is this a critical issue?
The first thing you have to consider is the fact that libraries such as Elliptic developers offer ready-made code components.
This means that instead of re -writing and checking the code while they go, developers simply borrow the elements they need.
Although it is considered a safer practice, since the libraries are used and tested continuously, this also increases the risks as one vulnerability.
Elliptical library is frequently used about the JavaScript -ecosystem. It nourishes cryptographic functions in many well-known blockchain projects, web applications and security systems.
According to NPM statistics, the package with the error is downloaded about 12-13 million times a week, with more than 3,000 projects that immediately mention it as dependence.
This broad use means that the vulnerability may affect a large number of applications Especially cryptocurrency -portfolios, blockchain nodes and electronic signature systems As well as any service that depends on ECDSA signatures via Elliptic, especially when handling externally provided input.
With this vulnerability, attackers can fully jeopardize external attackers of sensitive data without the correct authorization.
That is why the issue was given an extremely high serious assessment About nine out of 10 on the CVSS scale.
It is important to point out that the use of this vulnerability requires a very specific series of actions and the victim must sign random data provided by the attacker.
This means that, for example, some projects can remain safe if an application only signs predetermined internal messages.
Yet many users do not pay so much attention when signing messages via Crypto portfolios as when signing a transaction.
When a web 3.0 site requires users to sign the service conditions, users often absent from reading them.
Likewise, users can quickly sign a message for an airdrop without fully understanding the implications.
Technical details
The problem comes from the incorrect handling of errors while making ECDSA (Elliptic Curve Digital Signature Algorithm) signatures.
ECDSA is often used to confirm that messages, such as blockchain transactions, are real.
To make a signature, you need a secret key Only the owner knows it And a unique random song called a ‘nonce’.
If the same Nonce is used more than once for different messages, someone can find out the secret key using mathematics.
Normally, attackers cannot find the private key from one or two signatures because each uses a unique random number (nonce).
But the elliptical library has a mistake F It gets an odd type input (such as a special string instead of the expected size), it can make two signatures with the same nonce for different messages.
This error could reveal the private key, which should never happen with the correct ECDSA use.
To make use of this vulnerability, an attacker needs two things.
- A valid message and the user’s signature For example from previous interactions
- The user to sign a second message that has been explicitly made to use the vulnerability
With these two signatures, the attacker can calculate the private key of the user and get full access to funds and actions that are connected to it. Detailed information is available in the Github Security Advisory.
Exploitation scenarios
Attackers can operate this vulnerability through various methods, including the following.
- Phishing -attacks that users give to fake websites and request message signs
- Malicious Dapps (decentralized applications) disguised as harmless services, such as signing the conditions of use or participation in Airdrops
- Social Engineering convinces users to sign seemingly impossible messages
- Servers private keys compromise that sign messages from users
A special regarding aspect is the generally lax attitude of users in relation to signing messages compared to transactions.
Crypto projects often ask users to sign the service conditions or the AirDrop participation messages, making exploitation easier.
So think about it Would you sign a message to claim free tokens? What if that signature could cost your entire crypto balance?
Recommendations
Users must immediately update all applications and portfolios that the elliptical library use for signatures to the latest safe version.
Be careful when signing messages, especially from unknown or suspicious sources.
Developers of portfolios and applications must verify their elliptical library version.
If users can be influenced by the vulnerable version, developers must inform them about the urgent need for updating.
GLEB ZYKOV is the co-founder and CTO van van Hashex Blockin Security. He has more than 14 years of experience in the IT industry and more than eight years in internet security, as well as a strong technical background in blockchain technology (Bitcoin, Ethereum and EVM-based blockchains).
Generated image: dalle3
Credit : dailyhodl.com
