Security firm dWallet Labs flags validator vulnerability that could affect $1B in crypto

Blockchain secu­ri­ty firm dWal­let Labs recent­ly dis­closed a vul­ner­a­bil­i­ty that it claims could affect up to $1 bil­lion worth of cryp­to, with assets such as Ether (ETH), Aptos (APT), BNB (BNB) and Sui (SUI) at risk.

In a paper sent to Coin­tele­graph, dWal­let Labs report­ed a poten­tial vul­ner­a­bil­i­ty in val­ida­tors host­ed by an infra­struc­ture provider called Inf­S­tones. Accord­ing to dWal­let Labs, they start­ed a research paper on attack­ing blockchain net­works and col­lect­ing pri­vate keys with Web2 attacks. Dur­ing this research, dWal­let Labs said, they dis­cov­ered vul­ner­a­bil­i­ties in Inf­S­tones val­ida­tors. They wrote: 

“A chain of vul­ner­a­bil­i­ties we dis­cov­ered and exploit­ed dur­ing our research allowed us to gain full con­trol, run code and extract pri­vate keys of hun­dreds of val­ida­tors on mul­ti­ple major net­works, poten­tial­ly lead­ing to direct loss­es equiv­a­lent to over one bil­lion dol­lars in cryp­tocur­ren­cies such as ETH, BNB, SUI, APT and many others.” 

Accord­ing to dWal­let Labs, an attack­er who exploits the vul­ner­a­bil­i­ty can acquire the pri­vate keys of val­ida­tors across dif­fer­ent blockchain net­works. “Over one bil­lion dol­lars of staked assets were staked on all of these val­ida­tors, and such an attack­er would have been able to gain full con­trol of all of them,” they added. 

Relat­ed: Exploits, hacks and scams stole almost $1B in 2023: Report

On Nov. 21, Inf­S­tones respond­ed to Cointelegraph’s request for com­ment, deny­ing that the bug could affect $1 bil­lion in assets. Darko Radunovic, a rep­re­sen­ta­tive from Inf­S­tones, told Coin­tele­graph that the poten­tial vul­ner­a­bil­i­ty could only affect a small frac­tion of the live nodes they’ve already launched. 

Accord­ing to Radunovic, the poten­tial vul­ner­a­bil­i­ty was dis­cov­ered in 237 instances, includ­ing 212 cas­es des­ig­nat­ed for test­ing and 25 instances as fresh­ly launched nodes in the pro­duc­tion envi­ron­ment. “The instances iden­ti­fied in pro­duc­tion con­sti­tute a frac­tion below 0.1% of the live nodes we have launched to date,” Radunovic said in a state­ment. The com­pa­ny also pub­lished a blog post say­ing the vul­ner­a­bil­i­ty was resolved.

Radunovic also high­light­ed that in response to the vul­ner­a­bil­i­ty, they’ve done inter­nal reviews and had an accred­it­ed secu­ri­ty firm audit their sys­tems and com­pa­ny poli­cies. The com­pa­ny also launched a bug boun­ty pro­gram to encour­age any third par­ty to work with them direct­ly on any bugs they may find. 

Mag­a­zine: $3.4B of Bit­coin in a pop­corn tin: The Silk Road hacker’s story