Tendermint Inc. – the for-profit entity behind the core technology of the Cosmos network – released today a full disclosure about a former security vulnerability in the Cosmos SDK.
A recent flaw in the MakerDAO Governance Voting Contract detected by the Maker Foundation endangered the tokens placed on stake by users and required a critical update. The information was shared by the Maker team on their official subreddit a few hours ago.
According to the new findings, this discovery was
possible thanks to the joint work between the Maker Foundation, Coinbase
and the cybersecurity firm Zeppelin.
The post does not provide any particular details about the
bug or the consequences it might generate, however; the team urges all stakers
to withdraw their tokens and place them on their personal wallets or migrate to
the new version of the contract -the one with the critical update.
Maker’s team emphasized that they are not hiding information and promised to “provide a full debrief and detailed outline of the changes ASAP.”
Don’t Stake Maker Tokens? Then, Don’t Worry
According to the post, the problem affects only the voting
contract and not the stability of the token, so those who do not take part in
the voting portal have nothing to worry about.
They also explained that those who have tokens involved in
the new contract do not need to worry. The problem may arise for those who have
not migrated yet.
You are not in danger of losing your MKR if you own one of the ~190 addresses who have staked MKR in the current MakerDAO Governance Voting Contract, but you are advised to move your MKR out of the old contract and back into your personal wallet immediately.
The Maker Foundation is also responsible for the development of DAI, a stablecoin pegged to the value of the dollar. In order to achieve price stability and get it as close as possible to a 1:1 proportion with USD MakerDAO creates or destroys MKR according to the fluctuation of this stablecoin.
The announcement of the Maker Foundation does not seem to have affected the value of the MKR token. This cryptocurrency has had a fairly stable behavior during the day, with a stable bullish trend that has led the token to test resistance around 552 USD.
The post Critical Bug Found in the Maker Voting Contract. Stakers Must Withdraw Their Tokens ASAP appeared first on Ethereum World News.
Yet another dire security flaw was unveiled Tuesday with potential ripple effects across the tech world, including for cryptocurrency projects seeking to leverage certain hardware devices.
Following a pair of bugs unveiled earlier this year, the Foreshadow vulnerability impacts all Intel’s Software Guard Extensions (SGX) enclaves, a special, supposedly extra-secure region of chip often used for storing sensitive data.
In short, while the enclave is supposed to be tamper-proof, a group of researchers found a way for an attacker to steal the information it stores.
For many, Meltdown and Spectre were spooky enough. The bugs impacted every single Intel chip, the hardware powering most of the world’s computers. But, since it wasn’t so easy to execute, there weren’t many real-world attacks.
Foreshadow might not sound as bad because it impacts a more specific type of Intel hardware: SGX. However, since many cryptocurrency projects plan to use this technology, Foreshadow could have even worse ramifications for the cryptocurrency world.
Perhaps most notably, Signal creator Moxie Marlinspike is in the process of advising a new, allegedly greener coin called MobileCoin that puts SGX at the center, even raising $30 million to do so.
As a result, these projects will have to do some restructuring before launching for real.
“The findings released today absolutely have a broad impact on cryptocurrency projects,” Cornell University security researcher Phil Daian told CoinDesk.
The good news, though, is that the researchers followed the security world’s “responsible disclosure process” for revealing bugs, alerting Intel before showing it off so the tech giant could come up with a fix (which deployed a few months ago).
But the security world is making a lot of noise because that still might not be enough.
“It is likely that, because many of these systems are slow to upgrade and because many of these fixes require either involved or hardware upgrades, infrastructure will remain vulnerable to this class of attack for a long time,” Daian said, adding:
“It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency.”
The good and the bad
But there’s both good and bad news.
For one, it appears as though none of the high-profile SGX projects in cryptocurrency are yet being used to secure real money. “To my knowledge, there is no SGX system in production or widespread use in the space today,” Daian said.
The bad news is there are a plenty of projects that want to use SGX, and maybe even have plans to do so soon. And the ideas are pretty cool.
MobileCoin is perhaps the most ambitious since the project’s developers want to replace miners, a crucial part of securing any cryptocurrency, with these enclaves to build a more energy-efficient cryptocurrency.
But there are plenty of others that want to use SGX for its security and privacy gains.
Enigma is using it in a unique bid to boost privacy in smart contracts, while wallet hardware company Ledger went as far as to partner with the tech giant Intel to explore using SGX as a new avenue for storing private keys. And the list goes on and on.
“The SGX attack is devastating,” Kings College London assistant professor Patrick McCorry told CoinDesk, adding that research groups have long been discussing how it can be deployed to add extra security to data.
“It can potentially undermine the integrity – and privacy – for any application that is reliant upon trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multi-party protocols, but this attack allows any participant to cheat,” he added.
“In my opinion, good SGX research and systems should assume hardware can always be broken at some cost, and should, as always, design defensively and include layered security,” Daian said.
He went on to give some advice to companies that plan to launch soon.
“Projects planning to launch soon that rely on SGX should evaluate the vulnerabilities and any updates from Intel with caution for implications to the security of their systems, and should publish such investigations along with their code,” he said.
The other bad news, though, is it’s possible for hackers to find a new variant of the bug, similarly impacting all SGX chips.
“But as foreshadow demonstrates, attacks only get better,” McCorry remarked.
Meanwhile, the bug is leaving some developers feeling vindicated.
Because Intel has a backdoor into all SGX devices, it’s long been a controversial tech avenue for cryptocurrency projects, with enthusiasts often arguing that using the technology puts too much power or trust in one company’s hands.
Simply put, in their minds, the Foreshadow vulnerability is a good example of why not to put SGX at the cornerstone of a cryptocurrency project.
“Good thing we didn’t adopt a certain professor’s SGX-based bitcoin scaling solution!” tweeted pseudonymous bitcoin enthusiast Grubles.
“Though even *if* it had been somehow perfect, it was never a good idea to root the security of bitcoin in a chip vendor’s secret sauce technology,” Bitcoin Core maintainer Wladimir van der Laan responded.
But again, most projects using SGX haven’t actually launched in production.
Some researchers went as far as to argue most cryptocurrency projects exploring SGX haven’t actually used them on real money because Intel has such a bad reputation. The industry has been experimenting with the technology – but is too cautious to actually launch go through with it.
Some security researchers advise to continue on this trend – to not use SGX.
But other researchers are more optimistic that SGX, or something like it, could one day play a big role in cryptocurrency, seeing Foreshadow as a positive sign trusted hardware is being battle-tested.
“SGX will need to be repeatedly tested and broken by adversarial researchers until it can claim a strong degree of security, which will take years,” Daian said, going on to add that he believes trusted hardware along the lines of SGX may one day play a big (and positive) role in cryptocurrency.
In short, it might just take some time, he argued, adding:
“Realizing such a technology certainly holds great promise for trust minimization and scalable privacy protection in cryptocurrency and beyond.”
Laptop via Shutterstock
EOS BPs Violating its Own Constitution
EOS is back in the news again, this time for apparently violating its constitution. According to reports, the 21 EOS BPs have frozen seven accounts allegedly involved in a phising scam. The decision to freeze the accounts has brought up a lot of controversies. Many critics say it is yet another example of the lack of decentralization in the EOS project.
Details of the Freeze
The 21 EOS block producers (BPs) unanimously voted to freeze seven EOS accounts. There are allegatins that these seven accounts held stolen funds from a suspected phishing attack. The BPs decided as part of the EOS911 protocol which was initiated by EOS42 – one of the 21 BPs. This initiative enables the recovery of stolen funds. However, the main bone of contention is that the decision by the BPs contravenes the provisions of the EOS constitution. Article IX of the EOS constitution states:
Dispute Resolution – All disputes arising out of or in connection with this Constitution shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules.
Based on Article IX of EOS’ controversial constitution, BPs don’t have the authority to make such decisions. The power to resolves disputes is solely in the hands of an “arbitration body.” The role of the BPs is to carryout out the resolutions reached during arbitration.
BPs Circumvent ECAF
The EOS Core Arbitration Forum (ECAF) was the arbitration body for this dispute. ECAF declined to take any action, citing limited authority to actthe in the matter. This decision was based on the fact that the main EOS constitution is yet to be ratified – only an interim constitution is in place at the moment.
With ECAF unwilling to act, the appears the BPs took it upon themselves to come to a decision. In a blog post by EOS New York, the BPs said:
We plead with the accompanying Block Producers/Candidates that the ECAF must step forward to issue the emergency freeze action on the affected accounts. Without this, we proceeded as a group to review the evidence ourselves and came to a difficult decision of executing based upon the evidence brought forth.
Reactions to the Actions of the EOS BPs
To be clear (and not accused of “FUD”), what happened here is that they froze the accounts with agreement from the other block producers *before* the ECAF (EOS Core Arbitration Forum) had issued a decision.
Why have the ECAF or a “constitution” if that’s how things are done?
— Jackson Palmer (@ummjackson) June 19, 2018
The decision by the BPs to freeze the seven accounts has generated a lot of debate within the cryptocurrency community. The major focus point on both sides of the argument is on the philosophy of blockchain immutability and decentralization. Critics like Jackson Palmer of Dogecoin, cryptographer, Nick Szabo, and Bitcoin Foundation co-founder, Charlie Shrem disagree with the decision of the BPs.
In EOS a few complete strangers can freeze what users thought was their money. Under the EOS protocol you must trust a “constitutional” organization comprised of people you will likely never get to know. The EOS “constitution” is socially unscalable and a security hole. https://t.co/WusEqBMGBp
— Nick Szabo⚡️ (@NickSzabo4) June 19, 2018
Most critics are against the monopoly of the 21 BPs. According to them, such a situation hardly qualifies as a decentralized blockchain. For the supporters of the BPs, they blockchains need protocols in place to punish bad actors.
“Protecting” “punishing”. No. No one gets to decide those things. You are hair swapping 1 nation state for another one, albeit a digital one. This is the point of crypto, no one should have that power. If you do, then we should just stop wasting everyone’s time. https://t.co/yCh6IIPGqp
— Charlie Shrem (@CharlieShrem) June 18, 2018
The freezing of the seven accounts is the latest in a list of controversies surrounding the EOS project. A few days ago, activities on the mainnet shut down after a bug was discovered. The mainnet launch itself was plagued by bug issues as well as concerns over the voting process.
What are your views on the EOS decentralization debate? Do you think the 21 EOS BPs are monopolizing the control of the blockchain? Keep the conversation going in the comment section below.
Image courtesy of Twitter (@ummjackson, @NickSzabo4, and @CharlieShrem).
You may have missed it, but over the weekend, transactions on the live EOS blockchain came to a complete – yet temporary – halt.
Coming less than 48 hours after the much-anticipated blockchain network went live, the announcement kicked off a social firestorm (not to mention a reported 5 percent drop in the value of the network’s cryptocurrency).
Some background: the EOS launch, reported last week by CoinDesk, came at the end of a topsy-turvy period illustrated by last-minute code tweaks, an elaborate election of entities tasked with creating the network’s transaction blocks, and, of course, the $4 billion EOS token sale.
So, it came as a surprise to some that the network would run into enough trouble that it triggered a failsafe network freeze. And unsurprisingly, critics of EOS were quick to pounce.
A patch to fix the issue was released and implemented less than five hours later.
However, in the fast-moving world of crypto, there was already damage done to the network’s reputation.
That’s not to say that EOS didn’t have any commentators – or outright supporters – going to bat for it during the weekend debate. From a more supportive perspective, the weekend stoppage was seen largely as a growing pain and a symptom of a network controlled by no single entity, still getting its bearings so soon after launch.
Among the notable voices offering support to the project was Zcash creator Zooko Wilcox, who wrote “kudos” in the wake of the bug response.
Asked if he was joking, he was quite clear: the answer was no. EOS’s response, in his eyes, was exemplary.
For others, the expectation of a “perfect” launch was an unrealistic one to begin with. And it’s probably safe to say that some members of the EOS community aren’t too concerned about the network stoppage, given the move to repair the bug.
An old debate made new
And while EOS blocks are moving once again, it’s clear there’s one thing not going anywhere: the debate over the degree of centralization on the network.
What’s being debated, in a broader sense, is the extent to which EOS is immune to the actions of one particular group or entity – the more centralized it is toward one of those groups, the more likely it is to face problems if that group has issues, dissolves or is attacked.
For EOS, the centralization risks are unique – and put on display thanks to the weekend issue.
EOS block producers are the only ones who can validate transactions on the blockchain. They are voted on by other users, and the votes are weighted by the number of tokens staked.
As a result, though the mainnet platform is not owned by any singular authority, these block producers act as de facto leaders able to make executive decisions on proposed changes, or in this case, fixes to the network.
Since the design inception, critics have been concerned of the centralized power of block producers and now with the latest issued upgrade, 1.0.5., they have a real case of that power in action.
In response to the criticism, EOS maintains its distribution of tokens and block producers remain far from centralized, pointing to the global distribution of block producers.
Frozen hard drive image via Shutterstock