OpenBountyXTZ Hole Time Parsing

This article Hash (SHA 1): 4f5b9f376aa53c6cccca03a2ddd065a59550d73c

Security No.003: Chain Source No.003

On July 3, 2024, the vulnerability bounty platform OpenBounty was disclosed to have publicly published unauthorized vulnerability reports on the public chain. This behavior is extremely irresponsible and disrespectful to every infrastructure and security researcher involved. It has also sparked discussions among the general public due to the total bounty value of over 11 billion US dollars for all these vulnerabilities. As a result, the vulnerability bounty platform has become well-known in the public eye. The Chain Source Security team has conducted a security analysis and partial disclosure of this leakage incident, hoping to help readers interpret the details and gain a better understanding of the existence of vulnerability bounty platforms.

Related Information

OpenBounty privately disclosed vulnerability report information on the SEHNTU public chain (now deleted the related proposal about Ethereum):

Bug bounty/Vulnerability hunting

The bug bounty platform in the on-chain world is very similar to the 'digging' platform in traditional network security, and the main purpose of both is to attract security researchers and white hat hackers to find and report vulnerabilities in the system through reward mechanisms, thus improving overall security.

Their operating mode can be described as follows in terms of timeline:

(1) Project initiates challenge: Whether it is a blockchain project or a traditional network application, it will release bug Bounty Program on the platform.

(2) Vulnerability Report: Security researchers and hackers detect project code or systems, and submit detailed reports after discovering vulnerabilities.

(3) Verification and Fixing: The project team verifies the vulnerabilities in the report and fixes them.

(4) Reward Distribution: After the fix is completed, rewards will be given to the discoverer based on the severity and scope of the vulnerability.

Traditional network security mainly follows traditional IT vulnerabilities such as XXS[ 1 ], SQL injection[ 2 ], CSRF[ 3 ] on web applications, servers, network devices, etc.

Blockchain security is more concerned with following Smart Contracts, protocols, encryption Wallet, such as Sybil attack [4], Cross-Chain Interaction attack [5], abnormal external calls, etc.

Critical Vulnerability Report

In the 33rd violation report released by OpenBounty, CertiK conducted an audit and penetration test on the SHENTU chain. From the proposal, it can be seen that the main focus of this security test is to address internal security vulnerabilities and authorization restrictions within SHENTU.

But after reading the source code of SHENTU, I found a piece of code that replaces the prefix, replacing CertiK's prefix with SHENTU's prefix. Although it is understandable in terms of development, it is just for the convenience of adjustment and domain name replacement, but it does give people a feeling that CertiK is both a referee and a player.

In the other 32 SEHNTU vulnerability reports that have not been deleted, you can see descriptions of the problem, voting parties, reward descriptions, and even the code of each system after the vulnerability update. This unauthorized disclosure of information can easily cause secondary damage to these systems, because every system has some historical legacy issues or unique coding habits during the development process. For hackers, the space for utilizing this information is indeed very large.

Noun Interpretation

[ 1 ]XXS: Attackers inject malicious scripts into web pages, causing the scripts to execute when users browse the web page, mainly including reflected XSS, stored XSS, and DOM-based XSS.

[2] SQL injection: an attack method that involves inserting malicious SQL code into input fields (such as forms, URL parameters), and then passing it to the database for execution. This type of attack can result in data leakage, modification or deletion of the database, and even obtaining control over the database server.

[ 3 ]CSRF: An attack method that uses a user's authenticated session to send unauthorized requests to a trusted site. Attackers trick users into visiting specially crafted web pages or clicking on links, allowing them to perform operations such as transferring funds or modifying personal information without the user's knowledge.

[4]Sybil Attack: In a distributed network, attackers create a large number of fake identities (Nodes) in an attempt to manipulate the decision-making process in the network. By creating a large number of false Nodes, attackers can influence the Consensus Algorithm and thus control transaction confirmation or block legitimate transactions.

[ 5 ]Cross-Chain Interaction Attack: Attackers can manipulate Cross-Chain Interaction transaction requests to bypass security checks in the contract, steal or tamper with Cross-Chain Interaction transaction data, such as the Poly Network Cross-Chain Interaction bridge attack.

Conclusion

Overall, as OpenZepplin and HackenProof have indicated, the management of bug bounties must be done with the consent of the publisher. This is an issue that runs parallel to both legal and professional ethics and is also the foundation of many independent developers' achievements.

ChainGuardian is a company focused on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully retrieved long stolen digital assets for individuals and institutions. At the same time, we are committed to providing industry institutions with project security analysis reports, on-chain traceability and technical consulting/support services.

Thank you for reading, we will continue to focus on and share blockchain security content.