Hi I’m Omer, CEO at dWallet Labs.
A short response from our security research team 0d who made the discovery.
- As we demonstrated in the post, we assert that all InfStones validators, including Ethereum validators were vulnerable and their keys could have been extracted by attackers. InfStones, in their response on this thread and elsewhere, are continuously only referring to the first vulnerability that we discovered (regarding tailon), and don’t address the impact of the full discovery of the chain of vulnerabilities that we presented and specifically the one involving their proprietary “infd” management service.
- As such, and as we recommended directly to InfStones when the vulnerabilities were disclosed to them back in July, besides fixing the vulnerabilities, all validator keys must be rotated AND all validators must be redeployed. We also made additional recommendations including some on the internal security measures at InfStones, however we have no visibility into what the InfStones team actually implemented.
- As we write in the post, we believe that attack vectors involving validator infrastructure with traditional web2 attacks are at least as important to web3 security, if not more so, as traditional web3 attack vectors such as smart contracts. Taking over validators doesn’t only pose a risk for the stakers and delegators of that validator, it could have a devastating affect on the network with censorship, DoS and complete network takeovers.
- In our post, and in our discussion with the Lido DAO contributors that reached out to us, we suggested including NO vulnerabilities in the bug bounty program.
- Our position is that by doing that, not only will white hat hackers be incentivized to discover vulnerabilities before bad actors, but they will also have a framework to operate within without being worried about crossing any ethical or legal lines, seeing as the vast majority of NOs do not have their own public disclosure or bug bounty programs.
- A way to fund that part of the bug bounty program could be by allocating some of the fee received by each NO to a dedicated “vault” for that section of the bug bounty, and that will also solidify their continuing consent and endorsement of the bug bounty program’s terms and condition.
Finally, we wanted to thank the Lido DAO contributors and the Lido community for taking our report and those risks seriously, this is a good signal for the maturing of Web3 infrastructure and security.