They ultimately found nearly 80 vulnerable servers on Censys but faced authentication issues.
Creating an account on InfStones, they uncovered an API proxy exposing usernames and passwords in cleartext, granting access to all servers.
That’s how simple it was for dWallet Labs to seize control of approximately 80 nodes, including validators’ nodes, and execute code on each of them, if they so willed.
Ultimately, they would found out that poor server configuration enabled them to execute commands with root privileges on over 450 servers, a significant portion of which were used to run validators.
After their discovery they informed InfStones about the initial vulnerability and continued exploring.
They discovered AWS credentials on all servers, with write access to the S3 buckets:
“AWS credential files were detected on all servers. It appears that when Infstone initiates a new node, it downloads the blockchain network binaries from the S3 buckets.
We found, however, that the credentials stored on each server, do not only have access to read the S3 buckets, but also have access to write to them.
This means that an attacker can change the binaries in a bucket and run malicious code on the new nodes that are created using this platform.”
Additionally, they found a service named “infd” running on port 12345, enabling them to manage nodes.
Upon analysis, dWallet Labs found a command injection vulnerability in the “upgrade” route, which they exploited on one server.
They then uncovered an authentication bypass vulnerability, allowing them to run commands on over 450 servers, including validators across various blockchain networks.
This grants root privileges, enabling access to private keys and control over staked assets worth over one billion dollars.
At this point they could execute commands with root privileges on more than 450 servers across the globe, including many that are used as validators.
During their review of the affected servers, dWallet Labs detected many validators in different blockchain networks such as Ethereum, Sui, BSC, Avalanche, Aptos and more.
An attacker exploiting this vulnerability can acquire the private keys of many validators in many different blockchain networks.
Over one billion dollars of staked assets were staked on all of these validators, and such an attacker would have been able to gain full control of all of them.
Full step-by-step detailled breakdown is to be found here:
