Skip to content

Instantly share code, notes, and snippets.

View 0xean's full-sized avatar

0xean 0xean

View GitHub Profile

SN 27 Security Vulnerability

Since the subnet owners have refused to make a responsible disclosure to the community or pay out a reasonable bounty, I am instead publishing this in the hopes that miners of the subnet can confirm that they have not been compromised and to give the community insights into the security practices and attitudes of the subnet owners.

Vulnerability synopsis:

Validators with more than 1024 TAO staked had the ability to execute arbitrary code on the miner's machine (RCE) via the Specs synapse using a subprocess call from python. There was no checks in place at all what on what could be ran or what could be returned. Anything from miner's hotkeys being exposed to installing malicous packages (potentially extracting cold keys) on hosts could have been possible.

Root cause:

The Specs synapse accepts app_data from a validator that is dumped into a file and e

### Keybase proof
I hereby claim:
* I am 0xean on github.
* I am 0xean (https://keybase.io/0xean) on keybase.
* I have a public key ASAZQOyzTgZpyMNrBo8hJTHmMZGWC-1Naj36cIOWsG-AbQo
To claim this, I am signing this object:
@0xean
0xean / marketprotocol-cla.md
Last active July 2, 2018 17:09
MARKET Protocol Contributor License Agreement

MARKET Protocol LLC Contributor License Agreement

By Submitting any Contribution (all as defined below), You agree to the terms and conditions set forth in this contributor license agreement (hereinafter the "Agreement").

We are very grateful for your interest in contributing to MARKET Protocol LLC (hereinafter, "MARKET Protocol", "We" or "Us"). As you know, MARKET Protocol's purpose is the developing, disseminating, editing, managing and running of the Project (as defined below).

To this effect, MARKET Protocol must have a contributor license agreement accepted by each Contributor, indicating agreement to the license terms below. As such, this Agreement is a legally binding document, so please read it carefully before agreeing to it.

1. Definitions