Hodlx Guest Post Send your message
Zero days without accidents in the DEFI space. This time the weakness has been discovered in the “Ihlili Library” widely used.
What makes things worse Its exploitation can lead to controlling the special keys of users and depletion portfolios.
All through a simple fraudulent message signed by the user. Is this a critical issue?
The first thing to consider is the fact that libraries such as Al -Alailili provides developers ready -made symbol components.
This means that instead of writing the code from the zero point and verifying it when they are going, the developers only borrow the elements they need.
Although it is considered a safer practice, as libraries are used continuously and tested, this also increases the risks in the event of a security vulnerability.
The elliptical library is widely used via the Javascript ecosystem. It operates encryption functions in many well -known Blockchain projects, web applications and safety systems.
According to NPM statistics, the package that contains the error is downloaded about 12-13 million times a week, with more than 3000 projects being included directly as dependency.
This wide use means that weakness affects a large number of applications Private currency portfolios and Blockchain contract and electronic signature systems In addition to any service that depends on ECDSA signatures through Al -Alailji, especially when dealing with the inputs from abroad.
This vulnerability allows the attackers to remove completely sensitive data without appropriate permission.
For this reason the case received a very big classification Almost nine out of 10 on the CVSS scale.
It is important to note that exploiting this weakness requires a very specific chain of procedures and the victim must sign the arbitrary data provided by the attacker.
This means that some projects may remain safe, for example, if the application only signs previously specific internal messages.
However, many users do not pay much attention when signing messages via encryption wallets as they do when signing a transaction.
When the 3.0 website requests users to sign the service conditions, users often neglect to read it.
Likewise, users may quickly sign a message to the air without understanding the effects of completely.
Technical details
The problem comes from not dealing with errors properly while creating ECDSA signatures (Al -Digital Signature algorithm).
ECDSA is commonly used to confirm that messages, such as Blockchain transactions, are real.
To create a signature, you need a secret key Only the owner knows that A unique random number called “Nonce”.
If the same Nonce is used more than once for different messages, someone can know the secret key using mathematics.
Usually, attackers cannot know the private key from one or two signatures because each uses a unique random number (Nonce).
But the east library has a defect F gets an individual type of input (such as a special chain instead of expected coordination), it can create signatures with the same Nonce for different messages.
This error can reveal the private key, which should never happen in the use of the appropriate ECDSA.
To exploit this weakness, the attacker needs two things.
- A good message and sign it from the user For example, from any previous reactions
- The user to sign a second message was explicitly created to exploit weakness
With these two signatures, the attacker can account for the user’s private key, full access to the funds and related procedures. Detailed information is available in GitHub Security Consulting.
Exploitation scenarios
Attacks may take advantage of this security vulnerability through different ways, including the following.
- Hunting attacks that direct users to counterfeit web sites and request the signature signatures
- DAPPS (decentralized applications) disguised as harmless services, such as signing the terms of use or participating in Airdrops
- Social engineering persuades users to signing unpredictable messages
- Postering on the special keys for servers that sign messages from users
It is particularly important to be the position of users in general on signing messages compared to transactions.
Curical projects often require users to sign service conditions or Airdrop sharing messages, which may facilitate exploitation.
So, think about it Will you sign a message to demand free symbols? What if this signature can cost you the entire encryption balance?
Recommendations
Users must immediately update all applications and portfolios that use the Ellican Library for signatures to the latest safe version.
Caution when signing messages, especially from unfamiliar or suspicious sources.
Governor developers and applications must check for the elliptical library version.
If any users can be affected by the weak version, the developers must inform them of the urgent need to update.
Gleb Zykov is the co -founder and CTO from Hashex Blockchain Security. He has more than 14 years of experience in the IT industry and more than eight years in Internet security, as well as a strong technical background in Blockchain technology (Bitcoin, Ethereum and Blockchains based on EVM).
Follow us twitter Facebook cable
Disclosure: The views expressed in Daily Hodl are not an investment advice. Investors must do due care before making any high -risk investments in bitcoin, cryptocurrency, or digital assets. Please note that your transfers and trading on your own responsibility, and any losses you may bear are your responsibility. Daily Hodl does not recommend buying or selling any encrypted currencies or digital assets, and Hodl Daily Andersor is an investment. Please note that the daily Hodl participates in dependent marketing.
Image created: dalle3
adxpro.online