Blockchain security firm dWallet Labs has recently revealed a vulnerability that it believes could impact up to $1 billion worth of cryptocurrency, including assets like Ether (ETH), Aptos (APT), BNB (BNB), and Sui (SUI).
In a paper submitted to Cointelegraph, dWallet Labs reported a potential vulnerability in validators hosted by infrastructure provider InfStones. According to dWallet Labs, it began a research paper that covered attacks on blockchain networks and the collection of private keys through Web2 attacks. In the course of this research, dWallet Labs claims to have discovered vulnerabilities in InfStones validators. They stated:
“A series of vulnerabilities that we identified and exploited during our research allowed us to gain full control, run code, and extract private keys of hundreds of validators on multiple major networks, potentially leading to direct losses equivalent to over one billion dollars in cryptocurrencies such as ETH, BNB, SUI, APT, and many others.”
dWallet Labs stated that an attacker exploiting the vulnerability could obtain the private keys of validators across different blockchain networks. They added, “Over one billion dollars of staked assets were staked on all of these validators, and such an attacker would have been able to gain full control of all of them.”
On November 21, InfStones responded to Cointelegraph’s request for comment, disputing that the bug could affect $1 billion in assets. Darko Radunovic, a representative from InfStones, told Cointelegraph that the potential vulnerability could only affect a small fraction of the live nodes it had launched. According to Radunovic, the potential vulnerability was discovered in 237 instances, including 212 cases for testing and 25 instances as freshly launched nodes in the production environment. “The instances identified in production constitute a fraction below 0.1% of the live nodes we have launched to date,” Radunovic said in a statement. The company also published a blog post stating that the vulnerability had been resolved.
Rudanovic also emphasized that in response to the vulnerability, they had conducted internal reviews and had an accredited security firm audit their systems and company policies. The company also initiated a bug bounty program to incentivize third parties to work directly with them on any bugs they may discover.