pnowosie

1cart Webhook Signature Verification — Findings

Reverse-engineered from real 1cart events. The PHP SDK source CallbackReceiver.php was used as a starting point, but several implementation quirks required brute-force discovery.

---

Digest (Digest header)

pnowosie

# Syncing Gnosis network
# I've just followed [Gnosis Interactive Guide](https://docs.gnosischain.com/node/guide/)
#
# Prerequisities:
# - Folders `../layers/cons` & `../layers/exec` containing appropriate client binaries
#
# How to run
# - make [setup]
# In 2 separate terminal windows run:
# - make run-el

pnowosie

const { toBN } = require("web3-utils/src/utils");

const BHAddr = '0x0100000000000000000000000000000000000000';
const IPAddr = '0x010000000000000000000000000000000000000c';
const toAddr    = '0xf126b50def52da277d80c9cfa542811e8452c60c'

const buf = Buffer.alloc(32, 0);
// Slot 1
buf[0] = 1
const Slot1 = '0x'+buf.toString('hex')

pnowosie

{
  "networkID": 1002,
  "camino": {
    "verifyNodeSignature": true,
    "lockModeBondDeposit": true,
    "initialAdmin": "X-kopernikus1g65uqn6t77p656w64023nh8nd9updzmxh8ttv3",
    "depositOffers": [
      {
        "interestRateNominator": 80000,
        "startOffset": 0,

pnowosie

// Run: `truffle exec do_test.js`
const { toBN } = require("web3-utils/src/utils");

const BHAddr = '0x0100000000000000000000000000000000000000';
const IPAddr = '0x010000000000000000000000000000000000000c';
const toAddr    = '0xa2AA6EbD9029F2c1498bD6ee1d1F6708Fd2A1e0b'

const buf = Buffer.alloc(32, 0);
// Slot 1
buf[0] = 1

pnowosie

Hardware wallet - recover private keys

Abstract

I lost one of my Ledger devices, back in 2018. Situation which might be the worst nightmare for many teaches me how to recover my private keys without waiting for a new device.

Please DO NOT follow this advice with your own recovery phrase just to confirm your addresses. There is a reason Ledger and similar security focused companies advices to never input your recovery phrase into internet-connected devices. However, I encourage you to try replicate my results on the zero-seed which is presented bellow.

pnowosie

Hardware wallets, accounts and addresses

Abstract

In this article I will teach you everything I learnt about HD wallet (in my case Ledger). I lost one of my devices, back in 2018 and I was able to restore my Ethereum account in Metamask immediately without waiting for the new device delivery.

You will also learn how to setup you device to give no information about your crypto assets being forced to unlock your HD wallet, e.g. on the airport.

pnowosie

[
    {
        "ParameterKey": "Project",
        "ParameterValue": "memes-generator"
    },
    {
        "ParameterKey": "SharedStage",
        "ParameterValue": "shared-dev"
    },
    {

pnowosie

# Don't fear the Makefile
# ...but learn to used it efectively

InMakeVar = "Make var"
FromEnvWithDefault ?= "default from make"

before_var = "something"

all:
	echo "Zmienna zdefiniowana w env vars: $${HOME}"

pnowosie

#! /bin/bash

u=$1

[ "$UID" = 0 ] || {
  exec sudo "$0" "$USER"
  exit 1
}

function is_user_ingroup() {