This issue also affects other systems that transfer funds to users. If you think your system may be affected, please DM @trailofbits or @levelk_io
Show this thread
We will shortly disclose a security issue that could potentially cause exchanges a loss of funds. In order to receive advance notice prior to disclosure, please add your name to the following list via pull request, or by DM’ing @trailofbits or @levelk_io:https://github.com/trailofbits/blockchain-security-contacts …
-
-
-
The disclosure is now public: https://medium.com/level-k/public-disclosure-malicious-gastoken-minting-236b2f8ace38 … We appreciate the patience while affected parties were notified.
Show this thread
End of conversation
New conversation -
-
-
Could you be a bit more specific what this affects? There are too many systems that transfer funds to users... Does this affect sending Ethereum transactions for example?
-
We will disclose this to as many people and organizations we believe are affected early next week. We are only gathering contact information right now, and finishing our technical investigation of the flaw.
-
Is this methodology appropriate when considering a decentralised network? Given the vagueness of the issue so far, anyone may be affected, the extent of which will be unknown except to the individual. Will your approach give big known players an unfair advantage?
-
It will give people who add themselves to our notification list an advantage, which we are loudly trying to advertise in advance of a quiet, embargo'd notification period and then later public release.
-
As a random individual, can I put my name on the list? If not, how do you plan to ensure that parties you are pre-disclosing to (including everyone associated with them) have the interest of their users and will not misuse their advantage?
-
We are only notifying people who have an ability to patch their systems to mitigate the flaw. Everyone else will receive the details once the embargo period has expired.
-
Ability to patch = ability to exploit. No? Scenario: DEX common construct has exploit allows stealing user funds. You disclose exploit to exchange first, friend of owner exploits it to steal user funds before said user has awareness or able to personally mitigate.
-
Thanks for your perspective, however, we see no better way to release this information than a staged process that attempts to maximize patching and minimize harm. You can choose a different process when you find the bug.
- 2 more replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Will you publish a list of exchanges that have been notified and agreed to patch?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If only we had 20+ years of experience on how to properly handle security disclosures. Welp, twitter it is for now!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If this does impact DEX's in a general way, then it may be prudent to suggest that everyone withdraws funds from DEX's before any disclosure. If there is any common way for people to mitigate the impact of the bug, this should be published ahead of any disclosure, to any parties.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Is it about how custom exchanges software create signatures for transactions?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.