2023-10-14, 16:30–16:50, Track #1
Web 3.0 smart contracts, like the ones found on Ethereum, bring promises of speed, decentralization, and security. Although DeFi's model may seem complex, these projects still can be vulnerable to relatively simple attacks like domain takeovers. In this beginner-friendly talk, we discuss how I discovered dangling DNS on several decentralized crypto exchanges and my experiences trying to responsibly disclose vulnerabilities to them.
Introduction to Dexs (Decentralized Exchanges)
- What are some of the largest Dexs and why are they used?
- Uniswap, PancakeSwap, Sushiswap all allow users to trade tokens without having to use a centralized intermediary like Coinbase or Kraken
- Users might not want to KYC (share identity) or want to purchase a token that's not listed on an exchange (HarryPotterObamaSonic10Inu)
- These organizations are often DAOs (decentralized autonomous organizations) and so development is public on Github.
- What does the user experience look like?
- Metamask - prompt to approve tokens, then approve to swap.
Introduction to NextJS / Vercel
- Vercel is a product from NextJS that is something like a CI/CD pipeline for a frontend
- Each pull request gets a preview deployment
- Changes merged to main get a production deployment
Discovering Vulnerability #1 - Vercel Bugs
- March 2022: A bug in Vercel allowed an attacker to drain $320.000 from EVODeFi, so I began investigating how this might have happened
- It turned out many crypto projects were using Vercel so I decided to take a closer look. If a malicious user took over a Dex, it would be trivial to trick users into approving malicious contracts.
- YearnFi - linked to a Vercel deployment in their Github repositories.
- I took over crv.ape.tax; yearn-hub.vercel.app; other deployment URLS
- Reward: $500 DAI (had to reach out on Keybase, ImmuneFi did not help)
- Took over uniswap-frontend-beta.vercel.app
- No reward
- Took over full domain of Sushiswap.fi and was able to increase impact by adding mail records
- Reward: 100 Sushi not from the foundation, unofficially via Discord
- Since most DeFi sites used finance domains, I scanned the entire zone file for dangling Vercel domains.
- Took over domains of some defunct projects. Unable to return these to their rightful owners.
Discovering Vulnerability #2 - Onename
- Onename.io was used to translate user handles into Bitcoin addresses
- Previously hosted on Heroku - DNS was dangling so it was able to be taken over
- Many high profile twitter users had linked to this service, including crypto CEOs. As an attacker this would be extremely useful for phishing.
- Reported to HackerOne: $100 bounty
- Just start hunting and learning - these bugs did not require uber 1337 hacking skills
- Think about your threat model - don't get stuck thinking of the most complicated exploit scenario when dangling DNS is simple yet impactful
- Crypto and Infosec people should talk more instead of fighting with each other :)