.jpg)
On November 30, Guy Zyskind, CEO of privacy smart contract blockchain Secret Network, said that the developers had fixed a privacy-related vulnerability and that user funds remain safe. In a document dated November 29, Secret Network wrote that users or developers did not need any action and that all active nodes had been upgraded to fix the exploit on November 2.
2/ You can read the post for the main details, but the important thing is that the vulnerability has been mitigated and is unlikely to have been exploited. Most importantly, the funds were never at risk, as Secret does not intentionally rely on SGX for accuracy – only confidentiality.
— Guy Zyskind (@GuyZys) November 29, 2022
The sequence of events, unveiled late yesterday by Secret Network developers, began when a group of white-hat computer scientists contacted the Secret team on October 3 regarding an architectural bug xAPIC (Advanced Programmable Interrupt Controller) recently. disclosed. The exploit allowed uninitialized memory reads in certain Intel processors compatible with the Software Guard Extension (SGX). Secret Network leverages SGX technology to provide confidential execution of smart contracts.
As noted in their article, the researchers first registered a server as a validating node on the secret network, even when they did not have sufficient funds to actively validate transactions. The registration process then stored a copy of Secret’s global consensus seed in its SGX enclave. Then, thanks to the aforementioned CPU issue, the researchers extracted the consensus seed from its secret node and Intel Enhanced Privacy private ID key. Finally, with these elements, they were able to break Secret’s privacy protection features and decrypt the internal state of all smart contracts on the network, as well as the digital assets embedded in them.
Secret developers verified the exploit on October 4 and devised a plan to fix the vulnerability with Intel researchers and staff. First, the nodes were forcibly ejected from the network and their secret keys were removed. After that, nodes could only rejoin the network if they patched all known vulnerabilities, which was completed on November 2. “With this upgrade, it is now impossible to mount xAPIC attacks against the Secret Network manner,” the Secret Network team wrote.
Additionally, new nodes joining the network will be restricted to server-grade hardware only, to limit the attack surface that user-grade hardware presents. Founded in 2015, Secret Network currently has a market capitalization of $131 million via its native SCRT token. The company teamed up with director Quentin Tarantino to launch Secret NFT last November.
