Secret Network has announced the resolution of a severe vulnerability reported by white hat hackers. Researchers were able to decrypt Secret’s internal transactions using an exploit.
On November 30, Guy Zyskind, the CEO of privacy-focused smart contract blockchain Secret Network, declared that a privacy-related vulnerability had been corrected and that users’ assets were still safe. According to a document from Secret Network dated Nov. 29, neither users nor developers needed to take any action, and on Nov. 2 all active nodes received an upgrade to fix the exploit.
The chain of events started on October 3 when a team of white-hat computer scientists contacted the Secret team about a recently discovered xAPIC (Advanced Programmable Interrupt Controller) architectural bug.
The developers of the Secret Network revealed the sequence of events late yesterday. In some Intel CPUs that support the Software Guard Extension (SGX), the vulnerability allowed uninitialized memory reading. The blockchain uses SGX technology to offer secure smart contract execution.
According to their paper, even when they lacked the resources to be trusted to actively validate transactions, the researchers first registered a server as a validator node on the blockchain.
A copy of Secret’s global consensus seed was then saved after registration inside of its SGX enclave. Researchers then obtained the Secret Node’s consensus seed and private Intel Enhanced Privacy ID key using the aforementioned CPU bug.
Finally, using these tools, they were able to circumvent Secret’s privacy-preserving mechanisms and decrypt both the internal state of every smart contract on the network and the digital assets they contained.
On October 4, secret developers confirmed the exploit, and they worked with researchers and Intel staff to come up with a plan to patch the hole. The first step involved forcibly removing nodes from the network and erasing their secret keys.
Once all known vulnerabilities had been patched, which was finished on November 2, nodes could rejoin the network. The Secret Network team stated, “With this upgrade, it is now impossible to mount xAPIC attacks against the Secret Network mainnet.”
In order to reduce the attack surface that user-class hardware presents, new nodes joining the network will only be allowed to use server-class hardware. Secret Network, which was founded in 2015, has a market cap of $131 million as of this writing thanks to its native token SCRT. Secret NFTs was introduced by the company and director Quentin Tarantino in November of last year.
