Top

Crypto vulnerability uncovered with $1B in digital asset exposure

Policy & Regulation·November 22, 2023, 3:00 AM

Security vulnerabilities in the validator infrastructure of InfStones, an established infrastructure provider, have been disclosed by Tel Aviv-headquartered cybersecurity firm dWallet Labs.

Photo by Brett Jordan on Unsplash

 

Blockchain network validator vulnerability

In a detailed Medium blog post published on Tuesday, dWallet Labs shed light on a series of vulnerabilities that, when exploited, could potentially allow attackers to gain full control, execute code and extract private keys from numerous validators on major blockchain networks. Cryptocurrencies such as ETH, BNB, SUI, APT and others were identified as at risk, with potential direct losses estimated to exceed one billion dollars.

The vulnerabilities discovered by dWallet Labs opened the door for attackers to compromise the private keys of validators across multiple blockchain networks, putting over one billion dollars of staked assets at risk. In response to the findings, InfStones, a Web3 infrastructure platform, also released a statement on Tuesday acknowledging the potential threat. However, its representative, Darko Radunovic, disputed the figures provided by dWallet Labs in a statement sent to Cointelegraph. Radunovic stated that the vulnerabilities identified in the production environment account for below 0.1% of their active nodes launched to date, emphasizing that the impact would be limited to a small fraction of their operational nodes.

According to InfStones, “237 instances were in scope, of which 212 instances were deployed for our development and testing purposes, and 25 freshly deployed instances in the production environment.”

 

Mitigating steps taken

The company detailed the immediate actions taken to mitigate the vulnerabilities, including shutting down the affected ports, as well as rotating all credentials and keys within their platform. An internal review conducted by InfStones revealed no additional adverse effects. Notwithstanding that, the company took the additional step of hiring an external security firm to audit its systems and policies.

Meanwhile, dWallet Labs Founder and CEO Omer Sadika shared his thoughts on the X platform as to how he believes such events should be handled. Sadika wrote:

”The worst way to handle a cybersecurity vulnerability is not taking responsibility and lying. We were super open and transparent with the goal of eliminating the risk to web3. My take: it’s not about whether you are fully secure or not, because no one is, it’s about how you handle it and maintain the trust with your partners and customers.”

The collaboration between dWallet Labs and InfStones sheds light on the ongoing challenges faced by the cryptocurrency industry in maintaining the security and integrity of blockchain networks. While vulnerabilities were identified and addressed, the incident underscores the importance of proactive security measures to safeguard the assets and data within the rapidly evolving landscape of digital assets.

More to Read
View All
Web3 & Enterprise·

Jan 10, 2024

RIGO and BYFFIN host joint RIGO token airdrop event

RIGO, a public blockchain catered to private blockchain-based digital assets, is ringing in the new year with a joint airdrop event with BYFFIN, a South Korean private blockchain-based digital asset management service, according to an official announcement on RIGO’s website. Photo by GuerrillaBuzz on Unsplash"This RIGO X BYFFIN airdrop event with BYFFIN is designed to provide an easy and convenient experience for many users to use RIGO tokens," RIGO said. "We will strive to provide various experiences and benefits to users who participate in the RIGO blockchain ecosystem." Event detailsFive RIGO tokens will be airdropped to each of the first 3,000 participants on a first-come, first-served basis until Jan. 23 (KST). Participants are required to download the mobile BYFFIN Wallet app and create a personal wallet to be eligible to receive the rewards. This is the first promotional event held by RIGO and BYFFIN, and the two organizations plan to further expand their collaborative ventures in the future. RIGO’s wide-ranging servicesRIGO offers a variety of services, including RIGO Core, which provides custodial services of digital assets and manages data storage; RIGO Bridge, which supports hyperledger-based private blockchains; and RIGO Scan, a public real-time blockchain status dashboard.

news
Policy & Regulation·

Apr 13, 2023

Hong Kong Bank to Act as Settlement Bank for Crypto Firms

Hong Kong Bank to Act as Settlement Bank for Crypto FirmsZA Bank, Hong Kong’s largest virtual bank, is looking to become the go-to bank for crypto startups. The online bank has been given permission to serve as the settlement bank for regulated Web3 companies in the city. This development was announced at Hong Kong’s Web3 Festival, an event supported by the local government and attended by crypto startups and institutions from across Asia.©Pexels/Frank BarningHashKey and OSL collaborationZA Bank is expected to facilitate crypto-fiat conversions with two licensed exchanges in Hong Kong, HashKey and OSL, where customers can swap crypto into fiat currencies. ZA Bank will also offer basic banking services to local Web3 startups, a category that is currently underserved by traditional financial institutions.ZA Bank is focusing on assisting local Web3 startups and small-medium enterprises (SMEs).The bank linked up to the city’s company registry data, allowing for minimal information input and cross-checking. According to Devon Sin, alternate chief executive of ZA Bank, the bank currently conducts AML scrutiny against the usual checklists to satisfy the regulatory requirements. No AML issues have emerged during the recent months of work.Competing for global crypto businessHong Kong is trying to establish itself as a crypto-friendly alternative to other hubs, such as the US and Singapore, and a sandbox for Web3 businesses from China, where crypto trading is illegal. The city is revamping its digital assets regulatory framework, with plans to legalize retail trading of major cryptocurrencies like Bitcoin and Ether. Ronald Lu, CEO of ZA Bank, said that ZA Bank’s online account opening for Web3 startups is a major step forward in integrating traditional banking services with the Web3 world.According to Lu, ZA Bank will act as a settlement bank for clients to allow withdrawals in Hong Kong, China, and US currencies after they deposit crypto tokens with exchanges. The business model is already operational through HashKey and OSL, the only two licensed crypto exchanges in Hong Kong. The bank will provide the same service for other exchanges as they become licensed.HK China’s crypto “trial run”Hong Kong is opening up to the beleaguered sector in a move that aims to revive its status as a financial center following years of COVID restrictions and political upheaval. However, access to banking has been a major hurdle for the city’s ambitions. The city’s banking and securities regulators are hosting a round-table for crypto players and bankers to share experiences and perspectives on banking services later this month.Many have speculated about a softening stance on cryptocurrency by the Chinese authorities. However, it’s more likely that they continue with strict regulation and control relative to crypto in mainland China while happy to monitor a more open approach to it within Hong Kong. Crypto analyst Myles Deutscher likens the approach to a “trial run” that is being monitored by China.Launched in March 2020, ZA Bank is one of Hong Kong’s eight licensed virtual banks and had the most net assets as of last year, despite remaining unprofitable. The virtual lender doesn’t expect it will need to boost its headcount to handle the crypto client push. Although the revenue model is still unclear, Lu said that more clients, more deposits, and more business opportunities are always great for the bank. The lender doesn’t offer services for clients from mainland China, given the restrictions in place there.

news
Policy & Regulation·

Jan 03, 2025

INDODAX snags full licensing in Indonesia

INDODAX, Indonesia’s largest virtual asset trading platform by trading volume, has acquired full licensing in Indonesia from the local regulator. That’s according to a report published by local media outlet VOI. The license, a Physical Crypto Asset Trader (PFAK) license, has been awarded to the company by Indonesia’s Commodity Futures Trading Supervisory Agency, better known as BAPPEBTI.  The license will place INDODAX in a complaint position within the Indonesian market, relative to local regulations. The business has been issued certificate number 10/BAPPEBTI/PFAK/12/2024 by the regulator, its approval certificate as a Physical Crypto Asset Trader.Photo by Mark König on UnsplashMandatory registration requirementIn December 2023 the authorities in Indonesia set out a mandatory requirement for crypto trading entities to register with the Commodity Future Exchange (CFX). CFX is Indonesia’s national crypto bourse, while INDODAX is a member. As of April 2024, 35 crypto exchanges had been registered with the regulator. CFX has been given the mandate to monitor crypto exchange operations, to safeguard investors by ensuring exchanges abide by local regulations. Fendy Tan, chief financial officer (CFO) at INDODAX commented on the firm’s recent licensing milestone, stating: "We are grateful to BAPPEBTI and CFX for the trust given through this full license. The long process that must be passed reflects our commitment to providing the best protection for users. The license number 10 also has a special meaning, which symbolizes perfection, and symbolizes the 10-year journey of INDODAX in leading the crypto industry in Indonesia."  Liquidity and SOP requirementsIn order to acquire this license INDODAX had to comply with BAPPEBTI Regulation Number 8 of 2021 and Number 13 of 2022. It has also had to ensure a minimum paid-up capital of 100 billion Indonesian Rupiahs ($6,158,000), and a minimum equity of IDR 50 billion ($3,079,000). Furthermore, the company has had to implement a set of standard operating procedures (SOPs), together with achieving ISO certification in accordance with global security standards, with specific emphasis on complying with regulations to safeguard customer funds according to the balances held on account of fiat currency and digital assets by INDODAX customers. INDODAX is understood to have 7.1 million customers while a transaction volume of 109 trillion Indonesian rupiahs was reached for the period January to November 2024. BAPPEBTI had extended a deadline for the crypto licensing of exchanges late last year, a move welcomed at the time by INDODAX CEO Oscar Darmawan. Darmawan said that the move would strengthen the industry by ensuring that market participants were compliant with recently introduced regulations. While this licensing milestone is a positive for INDODAX, the firm had faced challenges in 2024. In September it emerged that the platform had been compromised with the loss of around $18 million in digital assets. Meanwhile, the authorities in Indonesia had planned to switch crypto market oversight from BAPPEBTI to the Financial Services Authority (OJK) by Jan. 12. However, a recent report published by the Jakarta Globe suggests that the Indonesian government has yet to finalize this regulatory transfer.

news
Loading