MultiversX Tracker is Live!

[AMA] I've found D/DoS flaws in 20+ blockchains - ask me anything

All Cryptocurrencies

by COINS NEWS 259 Views

Hi,

I'm Kevin McSheehan aka pad and I was invited to do an AMA here. I'm a whitehat hacker/programmer from southern Maine. I started hacking in around 1997 as a blackhat 12 year old.

I have nothing to shill, but you can follow me on Twitter if you'd like.

Here's a list of blockchains I've found some manner of DoS or remote crash in:

- Monero (P2P)

- Bitcoin (pub API)

- Bitcoin SV (pub API)

- Theta

- Polkadot

- EOS

- Chainlink

- Iconloop

- Tron

- Komodo

- Kadena

- Symbol

- Decred

- Blockstacks

- Iost

- Algorand

- Iota

- Ergo (API, low severity - many of these are low severity)

- Hive

- Harmony

- The Graph

- Flow

- Cronos

- and others

Those should all be either patched by now or inconsequential in real-world scenarios; such as those affecting public API nodes which are generally frowned upon in the first place.

I'm sorry that I don't have videos for all of them, but even to the trained eye you can't really tell what's happening in half of them anyway. I also don't entirely remember whether many of them were API or P2P crashes. It's a mixed bag. I've also been advised to not go into detail about how to crash nodes by moderators - which I agree is ethical.

I specialize in finding DoS and/or remote crashes in blockchain nodes. It's important to mention that any security researcher will tell you how lame D/DoS is, and I agree. It's only when you consider the critical nature of uptime in blockchain that it becomes worth paying attention to. Even satoshi's last bitcointalk post ever warned of looming D/DoS, and that is what I focus on.

I make no claim of being a computer hacking super wizard or anything. Most of my skills in cybersecurity are incidental from being a serial Internet entrepreneur for 20 years - so I've picked a few things up. However I've RCE'd Slack, shelled and DB dumped some top 100 websites well over a decade ago when I dabbled in blackhattery, etc. I digress.

It isn't unusual for security vulnerabilities to pop up in Bitcoin, and I think Bitcoin being a computer program is something lost on many people.

The good news is that the attacks that I find can rarely be leveraged to take down entire blockchain networks (though at least one of my exploits has been used to do this) because apart from questionably designed blockchains like Kadena and Theta it's difficult to spider/harvest verifiably online peer nodes to attack through the P2P layer.

Even still, I don't think blockchain is ready for critical infrastructure. It's not adequately battle-tested.

Worth mentioning - I have a lot of stories spanning back to the AOL 2.5 days. If anyone wants to ask general questions about blackhat hacker life I would be happy to answer them. It's a life I witnessed for a long time before making a clean break a long time ago.

Oh, it'd be irresponsible of me to not mention Immunefi. It's the go to bug bounty program for blockchain teams and hackers. It's going to be a big deal, and it's already saving people millions and millions of dollars in hack prevention. If you're a blockchain and/or Solidity hacker, check it out for sure. It's a smart way to both get paid and help the ecosystem as a whole.

AMA

~

Edit: Thanks guys, it's been real!

submitted by /u/endless
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments