Recently, on the HackenProof bug bounty platform, the bug hunter has submitted a critical severity report for a famous decentralized ecosystem. Demonstrated that he was able to access a limited number of private keys, which were used to manage the main assets and funds of the listed projects, as well as any active users. The exploitation of this issue may lead to the instant loss of 564,339 native ecosystem tokens and a persistent attack with instant token losses.
The core problem of this vulnerability lies in the API endpoint which was returning private keys of any blockchain interactions that were executed through the platform such as staking, rewarding, etc. This info can be accessed by any user who was following a creator or any other active user of the platform who was actively participating in the ecosystem activities.
To achieve the maximum impact from this vulnerability, the bug hunter chained previously discovered bugs which allowed to subscribe to every single user of the platform, thus tracking their blockchain activities through the vulnerable API endpoint and accessing their personal private keys and keys of the projects users used.
First, the bug hunter parsed a structured 54MB JSON file and exfiltrated user IDs from it.
With a complete list of user IDs, the bug hunter executed an attack with Burp Intruder to subscribe every user on the platform. After the attack was executed, the following info was exported with a bug hunter through the vulnerable API endpoint:
As a result, more than 2500 private keys were exfiltrated. The vulnerability were immediately passed to the development team and fixed.