"Responsible Rescue"
Rethinking Responsible Disclosure
for Cryptocurrency Security
At Unciphered we recover keys for people who’ve lost them. We are building toolkits for that on an industrial scale. We’ve also been in deep discussions since last year on how to handle Responsible Disclosure when we discover a new class of vulnerability that allows us to create Private Keys, Mnemonics, or Seed Phrases.
We sometimes find vulnerabilities that are a lot bigger than one person’s wallet. We can recover that wallet, but what do we do about all the innocent users who’d lose their money if the vuln were known?
At Unciphered, we do Black and Whitebox audits of Crypto Wallet software, firmware, hardware, and Non-Custodial web libraries. Sometimes we find minor shortcuts to guess a client's password, and sometimes we find a class of attack that compromises all the wallets from that vendor* - the impact is similar or bigger than the recent Solana wallet draining attack: https://techcrunch.com/2022/08/03/solana-wallet-hack/
We’ve already worked through the responsible disclosure process with the Electrum Wallet team and forked projects, but we now are at a crossroads where we see innumerable vulnerable crypto wallets belonging to innocent people. If attackers with malicious intent mimic what we’ve developed, it’s going to be a bad day for the trust of the entire cryptocurrency ecosystem.
Stewart Baker, one of our legal advisors, has been working with us to determine the best path of action to coordinate with the growing list of affected vendors and customers. The recourse provided by traditional Responsible Disclosure paths is woefully inadequate, because you can’t patch a private key and moving assets without permission is a CFAA violation.
In such cases, it is necessary to move the assets of every affected customer to new, non-vulnerable wallets at the same time. A piecemeal approach risks alerting malicious attackers to the vulnerability and presents an opportunity for theft of funds. What do we do? While we’re already working through these issues with a broad group of partners, these are issues that we can’t just Patch Tuesday away, and it’s still early days.
If you want to dive into the legal ramifications of the topic, here is Stewart’s article on Lawfare Blog, outlining these issues and more: https://www.lawfareblog.com/rethinking-responsible-disclosure-cryptocurrency-security.
If you are involved in similar research or want to share thoughts, contact us at info@unciphered.com or eric@unciphered.com.
~Eric
* We discovered a vulnerability which allows us to generate key pairs for Ethereumwallet.com Affected v1 wallets have had over 15k ETH coins in transit. We have been attempting to contact Anthony Di lorio (of Decentral.ca / Jaxx Liberty Wallet) to recover the rest of the lost assets for his customers. If anyone can put us in touch it’s been a black hole for 9 months and we want to avoid attackers getting the assets.