Crypto Shuttle News

Tag: bug

  • WEFUZZ, a fully decentralized, crowdsourced security audit and bug bounty solution | by Coinbase | Feb, 2022

    WEFUZZ, a fully decentralized, crowdsourced security audit and bug bounty solution | by Coinbase | Feb, 2022

    [ad_1]

    Coinbase

    This report updates on what WEFUZZ, Coinbase Crypto Community Fund grant recipient, has been working on over the first part of their year-long Crypto development grant. This specifically covers their work on a decentralized, crowdsourced security audit and bug bounty solution.

    By WEFUZZ, Coinbase Crypto Community Fund grant recipient

    WEFUZZ implements a fully decentralized, crowdsourced security audit and bug bounty solution: a set of smart contracts that allow developers and companies to get their smart contracts, blockchains, websites, etc., audited by the auditors and hackers community. With this work, WEFUZZ aims to become the *Hacker DAO*.

    Crowdsourcing is a sourcing model in which individuals or organizations obtain goods or services — including ideas, voting, micro-tasks etc., from a large, relatively open, and rapidly evolving group of participants. Companies like Uber, Gitcoin and GoJek already use this model. Crowdsourcing model offers improved costs, speed, quality, flexibility, scalability, and diversity.

    The traditional crowdsourcing system consists mainly of three roles: requesters, workers (auditors in our case), and a centralized system. Requesters submit tasks to be completed through the crowdsourcing system. A set of auditors complete this task and submit solutions to the crowdsourcing system. Requesters will then select a proper solution (usually the first or the best one that solves the task) and reward the corresponding worker

    This makes centralized systems vulnerable. User’s sensitive information (e.g. name, email address etc.,) and vulnerability reports are saved in the database of these centralized systems, which has the inherent risk of privacy disclosure and data loss. Centralized choke points are not only attack vectors for leaks and hacks, but also for outages.

    Crowdsourcing companies are keen on maximizing their benefits and require requesters paying for services, which in turn increase user’s costs. Most crowdsourcing systems demand a 10–25% service fee.

    All these issues add up to the already existing concerns of smart contract and multi-chains owners and developers (the audit requesters), freelance auditors’ and ethical hackers’ concerns. Some of these concerns are:

    • Ensuring their assets are safe from cyber theft, data hacks or any other risk that can result in a loss of funds and compromised data
    • Being able to get audits done in a cost-effective way — be it private or public security audits
    • Making sure the smart contracts are audited by multiple auditors
    • Hackers do not want to share sensitive personal data
    • Hackers and auditors and developers need complete transparency

    WEFUZZ is a fully decentralized, crowdsourced audit and bug bounty platform aiming to be the Hacker DAO. WEFUZZ aims to provide reliability, fairness, security and low service fees by design.

    The decentralized platform has many advantages such as higher user security, service availability, and lower costs. Smart contracts running on a chosen blockchain are used to perform the whole process of crowdsourcing tasks which contains posting audit and bounty campaigns, submitting audit and bug reports, bounty assignment, etc.

    WEFUZZ solution offers numerous added benefits to users:

    • Data Security: Reports are encrypted with auditors’ and target developers’ public key, so that the bug reports only gets read by who it is intended for. Files are encrypted and stored on the decentralized network storage. No more data breaches, hacks, password leaks or any other risk affecting existing cloud based audit and bug bounty platforms.
    • Cost Effectiveness: Allowing smart contract developers, multi-chain developers, and companies to get audits performed in a cost-effective way directly by the auditors and hacker crowd on the WEFUZZ platform. This helps the developers and companies avoid huge fees and congestion issues affecting the traditional bug bounty platforms.
    • Flexible anonymity: Auditors and hackers can choose to remain anonymous while submitting reports, protecting their privacy, and still getting paid.
    • Communication Security: No centralized data storage, complete anonymity, no data transfers, no moderators and complete end-to-end encryption. All the data resides encrypted on the Solana blockchain and all the files reside on the IPFS blockchain.

    Audit Requestors: Developers, companies or any individual can request audits or start a private/public bug bounty campaign.

    Auditors: Auditors can be anyone from ethical hackers to audit firms who can perform the requested audits or participate in bug bounty campaigns.

    Judges: Judges are community members who are either elected by the community or have been raised to the Judge category through reputation.

    Currently, we are working on the conceptualization, technical architecture, and system design of WEFUZZ, besides building our MVP on Solana and Polygon blockchains, and testing the optimal chain for our project.

    Please join our Discord and follow us on our Twitter and Medium to keep track of the progress. We are going to release the code and other tools we build as part of the research and development in this Github account.



    [ad_2]

    Source link

  • Retrospective: Recent Coinbase Bug Bounty Award | by Coinbase | Feb, 2022

    Retrospective: Recent Coinbase Bug Bounty Award | by Coinbase | Feb, 2022

    [ad_1]

    Coinbase

    At Coinbase, our number one priority is ensuring that we uphold our security commitments to our customers. On February 11, 2022, we received a report from a third-party researcher indicating that they had uncovered a flaw in Coinbase’s trading interface. We promptly mobilized our security incident response team to identify and patch the bug, and resolved the underlying system issue without any impact to customer funds.

    This blog post provides a deeper look into the timeline of events surrounding the bug report, as well as an explanation of the bug itself and the steps we took to resolve it and ensure it cannot happen again.

    (note, all events occurred on February 11, 2022, and all times are in PST)

    • 10:16 AM: A member of the crypto community tweets that they have uncovered a serious flaw in the Coinbase trading interface, and requests contacts in the Coinbase Security team.
    • 11:00 AM: Based on limited initial information provided by intermediaries, Coinbase Security declares an incident and mobilizes engineering resources to begin testing all trading interfaces to determine the validity of the alleged bug.
    • 11:21 AM: The crypto researcher files a vulnerability report via HackerOne, Coinbase’s bug bounty platform, indicating that the flaw resides in a specific API for Retail Advanced Trading. Coinbase engineers also complete a review of all other user interfaces and Coinbase Exchange APIs and determine that they are not impacted.
    • 11:42 AM: Coinbase engineers are able to reproduce the bug, and the Retail Advanced Trading platform is placed into cancel-only mode, disabling new trades.
    • 4:01 PM: A patch is validated and released, resolving the incident.

    The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account. This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release.

    To give an example:

    • A user has an account with 100 SHIB, and a second account with 0 BTC.
    • The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.
    • Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade.
    • As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange.

    There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale. For example, Coinbase Exchange has automatic price protection circuit breakers, and our trade surveillance team continuously monitors our markets for health and anomalous trading activity.

    Thanks to the researcher who responsibly disclosed this issue, Coinbase was able to fix this bug in a matter of hours, and conclusively determine that it has never been maliciously exploited. We have also implemented additional checks to ensure that it cannot happen again.

    Coinbase strongly supports independent security research, and when those researchers uncover serious issues, we want to ensure that they are rewarded accordingly. As a result, we are paying our largest-ever bug bounty for this finding: $250,000.

    We welcome future submissions from this researcher and others via our HackerOne program: https://hackerone.com/coinbase.

    [ad_2]

    Source link

  • Man who minted 14M ICX tokens due to a bug can pursue lawsuit to keep them

    Man who minted 14M ICX tokens due to a bug can pursue lawsuit to keep them

    [ad_1]

    A cryptocurrency enthusiast who exploited a bug in the ICON network to mint a large amount of its native ICX token can pursue entitlement claims according to a California federal judge.

    On Monday, Aug. 9, U.S. District Judge William H. Orrick said that the case raises novel questions about digital property. He added that plaintiff Mark Shin had adequately alleged that the ICON Foundation was wrong to freeze his crypto asset accounts after he took advantage of its flawed code.

    According to Law360, the allegations were enough to allow the case to go forward, with Judge Orrick denying the bulk of ICON Foundation’s motion to dismiss the claims.

    According to court filings, Shin discovered a bug in the ICON Network’s code after a software update in August 2020. When attempting to transfer staked tokens, Shin discovered that 25,000 new native ICX tokens had appeared in his wallet.

    He thought that there was a “visual bug with the wallet software” and attempted the process again whereby another 25,000 ICX tokens were generated.

    The code flaw allowed Shin to create a total of 14 million new ICX tokens worth around $7.8 million at the time. Many of those tokens he then transferred to the Kraken and Binance cryptocurrency exchanges.

    According to the court order, Shin acknowledged that “the authors and developers of the [software update] may not have intended for the network proposal to behave as it did,” but argued that he was the new lawful owner of the tokens since the code changes had been adopted.

    He claimed that ICON disagreed and asked Binance and Kraken to have his accounts frozen, saying that he had attacked the network. The judge agreed with the plaintiff’s claims of possible token ownership rights allowing the case to proceed, stating:

    “The inquiry at this stage, however, is whether Shin has plausibly alleged possessory interest in the ICX tokens. I find that he has.”

    Ted Normand of Roche Freedman who is representing Shin added that the case raises questions over decentralization claims some networks make:

    “If you’re a DeFi company issuing assets… you can’t have a decentralized ecosystem only when it’s convenient.”

    The South Korean blockchain project has fallen from its previous lofty positions in the market capitalization charts as ICX tokens have tumbled in price and largely missed out on this bull market. Today, ICX trades at $1.12, down 91.5% from its January 2018 all-time high of a little over $13.

    Related: ICON (ICX) unaffected by South Korean tax investigation into ICONLOOP, says chairman

    [ad_2]

    Source link