The Ethereum Black Valentine’s Day Attack

From WEB3 Vulnerapedia
Jump to navigation Jump to search

ETH Black Valentine's day attack had a loss of over $20 million dollars in total with various types of tokens being stolen, and unlike typical exploits and attacks, this one continued for a few years until today.

This attack first occurred on the 14th February of 2016, which was Valentine's day, hence the name.

Root Cause

The cause of this attack was mainly from ETH ecological defects, as the attackers took advantage of the authentication flaw of Ethereum node's Geth/Parity RPC API to maliciously steal tokens via eth_sendTransaction.

Vulnerability Analysis

BlockchainBandit Address on Etherscan

Attacker Address

Exploiter Address:

0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464

Attack Process

  1. Scan open Ethereum nodes, mainly: - Port 8545 (HTTP JSON RPC API) - Port 8546 (WebSocket JSON RPC API)
  2. Traverse through block height, wallet addresses and balances through sending: - eth_getBlockByNumber - eth_accounts- eth_getBalance
  3. Call eth_sendTransaction repeatedly to transfer the balance to the attacker's wallet
  4. If the victim/node user executes unlockAccount on their wallet, no password is needed during the duration of signing the transaction. This results in the attacker's spam of eth_sentTransaction calls being executed properly, transferring funds from the victim to the attacker's wallet.


Update: Another attack process was introduced that build upons the first method above:

  1. On an open Ethereum node, an attacker constructs a transaction and signs it. The signed amount is set as X, and the nonce as the current nonce + 1.
  2. The Ethereum node will detect an issue and close the RPC port.
  3. After closing the port, the Ethereum node will eventually assume it's now safe to transfer ETH to the account.
  4. The attacker takes the window when the node does so (through automated scripts) and broadcasts the previously signed transaction instantly. Making the attack go through.

Attack Timeline of 2016-2017

Date Time
2016/02/14 03:59:14 PM First deposit occured on Valentine's day
2016/02/16 06:33:30 PM 2 days later, another deposit, can be speculated that the attacker's exploit already started scanning and calling eth_sendTransaction
2016/05/19 07:46:33 PM First withdrawal occurred, with another 51 deposits made
2016/07/20 06:35:57 PM Another withdrawal, while 57 deposits done in total.
2017/05/11 06:34:35 PM Shapeshift, made 7 transactions across 71 days
2017/06/10 02:39:53 AM Last withdrawal, with around 207 deposits totaled
2017/06/21 07:46:49 AM f2pool in 36 transactions, across 4 hours

Impact

Around 4.2 billion IPv4 ports were scanned and detected, with over 10,000 Ethereum nodes being exposed on the public network along with their RPC API being enabled.

These nodes are at risk of direct currency theft attacks like this one.

Since this attack is still ongoing, it's unknown when the proper amount of losses is established, but as of now from the exploiter's account, we can see a theft of around 46,250 ETH, most of it already withdrawn by the exploiter.

Mitigation

There are a few guidelines to follow to prevent such incidents from happening again, mostly through configuration of the RPC API port, as follows:

  • Change the default RPC API port
  • Change the RPC API listening address to the intranet
  • Configure iptables to restrict access to the RPC API port
  • Account information (keystore) should not be stored on the node, preventing unlockAcount from ever being used.
  • Ensure every transfer using web3's sendTransaction and sendRawTransaction has to be signed by the private key.

References