BSV
$56.77
Vol 55.02m
-10.27%
BTC
$101007
Vol 113657.44m
-4.5%
BCH
$486.63
Vol 593.64m
-8.16%
LTC
$110.28
Vol 2035.12m
-10.86%
DOGE
$0.36
Vol 5971.1m
-8.95%
Getting your Trinity Audio player ready...

A security researcher has posted reports of a zero-day vulnerability in AvalancheGo, an implementation of Ava Labs’ Avalanche protocol. The vulnerability, he said, allows private keys of network validators to be forged, “which essentially renders the entire protocol compromised.”

Researcher James Edwards said he was posting the vulnerability in public because Ava Labs—after responding to his initial claims posted February 14 on Hackenproof with a request for more information—had failed to respond to his later reports detailing the issue, and had not patched the software.

“If there’s anybody out there that’s using Avalanche at the time of writing … my best advice as an objective observer and researcher would be to remove any and all funds you have on this protocol ASAP,” he wrote.

Edwards posted a lengthy four-part description of how the vulnerability works, noting that it is only present in the Golang implementation of the Avalanche Protocol. It concerns the way AvalancheGo uses “nonce values” to create deterministic signatures—though Avalanche’s signatures are indeed deterministic, a flaw in functions used to iterate and produce nonce values could potentially compromise validators.

AvalancheGo uses a Decred (another blockchain) library in this process, generating signatures based on the RFC6979 specification.

“Since Avalanche chose to screw me out of a $10k bug bounty, I’ve elected to publish this research for free for the benefit of the community,” he said in his fourth and concluding post on February 19.

Avalanche is a proof-of-stake (PoS) consensus blockchain built to run smart contracts and decentralized applications (dApps). Based on a protocol developed by Emin Gün Sirer and a team of colleagues at Cornell University, its Developer Accelerator Program went open-source in March 2020, and Avalanche itself was officially released a few months later.

As a PoS blockchain, Avalanche confirms blocks by having a network of “validators” lock in stakes of its native token, also called Avalanche (or AVAX). It received US$230 million in investment from Polychain and Three Arrows Capital (3AC), and has reportedly done deals with Deloitte and Amazon.

In August 2022, the project became embroiled in the “Crypto Leaks” scandal involving Kyle Roche, founding partner at Roche Freedman—the law firm that represented Ira Kleiman in the long-running Kleiman v Wright case that sought unsuccessfully to extract a large percentage of Satoshi Nakamoto’s early Bitcoins from Dr. Craig S. Wright. Roche claimed in leaked videos to have used mercenary legal tactics to accumulate trade secrets during discovery and to “take down” competitors to Ava Labs, one of the firm’s clients, in return for a large allotment of AVAX assets. Sirer and Ava Labs denied allegations of wrongdoing, but the firm was subsequently removed from a class action suit against Tether, and Roche himself was fired over the affair. The firm is now called Freedman Normand Friedland.

Avalanche’s response?

For the record, a senior software engineer at Ava Labs refuted claims about vulnerabilities in Avalanche’s nonce/signature generation processes on February 17. This article was re-posted in response to Edwards’ tweet.

“Ava Labs has a long history of working with responsible security researchers and bug bounty reporters across the broader security ecosystem,” they wrote.

Edwards wrote that Ava Labs developers had sent him “a longform documented response” to his vulnerability claims, though this response said AvalancheGo’s library had inherited several functions from the Decred version “that it in fact, didn’t.” He demonstrated this by producing signatures using both the Decred library and AvalancheGo’s with different results.

He noted that the description worked “in theory” but added, “this has not been executed in practice by myself as it goes against my personal code of ethics.”

Watch: Law & Order Regulatory Compliance for Blockchain & Digital Assets

Recommended for you

El Salvador softens BTC stance as economic reality bites
Nayib Bukele’s government has agreed to walk back its pro-BTC stance to secure a $1.3 billion IMF loan, saying that...
December 18, 2024
Ripple launches stablecoin; Tether invests in EU lifeboats
Ripple says choosing NYDFS for its newly minted RLUSD will help increase the token's acceptance. Elsewhere, Tether continues to look...
December 18, 2024
Advertisement
Advertisement
Advertisement