Technical analysis PREMINT security incidents, how to avoid attacks?

Enterprise 2023-08-26 21:35:04 views: null

Written by: GoPlus

At 16:00 on July 17 (UTC+8), premint.xyz was hacked and some users’ NFTs were stolen. After the attack, GoPlus security analysts quickly analyzed it comprehensively and gave security suggestions from the perspectives of ordinary investors and developers.

attack process

Attackers attack by implanting malicious JS scripts on the premint.xyz website. When users perform routine operations, malicious code is executed to trick users into signing transactions for the authorized operation setApprovalForAll(address, bool) . After defrauding the authorization, steal the user's NFT and other assets.

attack principle

When a user visits https://www.premint.xyz/ , the website will load the following js resource file https://s3-redwood-labs.premint.xyz/theme/js/boomerang.min.js .

This file was injected by the hacker with a script that loads another attack script file hosted in a fake domain name ( s3-redwood-labs-premint-xyz.com ) belonging to the hacker https://s3-redwood-labs -premint-xyz.com/cdn.min.js?v=1658050292559 . This script contains interactions to spoof user authorization (currently inaccessible).

When the user performs the normal Verifying your wallet onwership signature (that is, signature login) operation, this script will be triggered, replacing the original verification signature with a transaction that authorizes the attacker to transfer the user's high-value NFT. Once the transaction is signed, the assets will be stolen. (Note: The attack script may also defraud the user's ERC20 token authorization depending on the situation. We have no way of knowing because the script is no longer accessible.)

hard to guard against

  • For ordinary users, this attack may be the most difficult to deal with and the easiest to fall for.
  • All the C-side interactions of the attack are on the official website of Premint. First of all, it is easy for everyone to relax their vigilance, because everyone always defaults to the official website without any problems.
  • The process of defrauding transaction signatures occurs during the signature verification process of normal operations. Since most users will not look at the signature details of the wallet (most users do not know how to judge whether the signature is safe, and at the same time, it is very easy to ignore this due to trust in the official There may be risks in one step), so the attack process is extremely concealed.

where is the loophole

  • You may be wondering why Premint's official website still has attack codes. This is because the js resource files on the hosted S3 (AWS object storage service) have been hacked and tampered with.
  • As for why it was invaded, according to the existing information, we suspect that there is an error in the S3 configuration, which leads to unauthorized access to the Bucket, allowing the attacker to list, read or write to the S3 bucket at will, thereby tampering with the js resource file .
  • The most puzzling thing in the whole process is that the hacker’s attack was discovered at 16:00 (UTC+8) on the 17th, but until 22:00 (UTC+8) on the 17th, Premint officials still did not respond to the hacker’s attack. The js file of the attack is corrected, the boomerang.min.js file still contains the malicious script injected by the hacker, and the hacker’s attack script file will still be loaded when the page is loaded, but the malicious script itself is no longer accessible (the attack The domain name s3-redwood-labs-premint-xyz.com is no longer accessible). This state has been maintained for 6 hours, and it is difficult to judge whether the script will cause greater losses if it is revived at this time.

enlightenment

Revelation 1: What should we do as ordinary investors? If the official website is not reliable, how to avoid being cheated?

  • For many users who do not understand technology, this attack can basically be said to be a "first attack", and it is 100% successful. After all, no one will suspect that the official website is fraudulent. But if you think about it carefully, all transactions on the chain must be signed by the wallet, so as long as you pay attention to the content of the signature, you can still identify the risks.
  • Many blockchain users have a very bad habit. As long as the operation enters the wallet, except for the process of adjusting gas, other steps are subconscious operations. In fact, the confirmation information before signing contains a lot of key content. GoPlus Security recommends that you must confirm carefully before any signing operation.
  • Take this attack as an example. When the user performs signature verification on Premint, since it is only for information verification, there is no need for any on-chain, so the Signature Request initiated should only contain Origin information (requester), user address, Nounce information, and may have some additional return information . As shown below (since https://www.premint.xyz/ has been temporarily offline, we take Opensea as an example):

  • However, for transaction signatures that have been tampered with after an injection attack, since the transaction needs to be on-chain, the transaction will present more information in the form of a contract call. For example, in an NFT authorization using setApprovalForAll, it will show where the transaction was conducted (etherscan in the figure), what method was called (setApprovalForAll), who is authorized, and how much ETH is consumed.

  • Looking back, we can see from the screenshots contributed by netizens that after Permint is injected into the attack, although the operation prompts to verify the signature, the actual transaction to pull the wallet signature is completely setApprovalForAll on the chain, which is completely consistent with the above picture. Can know that there is a problem here.

  • In fact, the signature information in the wallet is different for various calls of the contract, transfer of ETH (or other native currency), transfer of Token, etc., and all investors should understand the differences to avoid losses caused by such attacks . Here, GoPlus Security highly recommends that you simulate the operation process yourself to understand various signature information (as long as the transaction is not sent out, there will be no fees, and there is no task tuition fee). Once you learn to read signature information, you will basically avoid Drop almost all phishing, injection, and fraudulent attacks.
  • Don't be lazy, if you want to keep yourself safe, study is the only way.

Revelation 2: How to avoid being injected attacks?

  • The biggest revelation of this attack for developers is that since the web3.0 world cannot exist independently of web2.0, it will inevitably suffer the same attack methods as web2.0. It is not enough to guarantee one's own security at the contract level. All traditional security preparations cannot be left behind. Any small negligence may cause major losses.
  • In addition, after encountering such problems, they should be repaired or isolated immediately. If there is a fluke mentality and the risk source is not dealt with immediately, it is trivial to be ridiculed by security analysts; if the attack method is still available, the loss will continue to occur. This is a big deal.

Guess you like

Origin blog.csdn.net/xiaozhupeiqi321/article/details/125869261
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com