[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent wave of Smart Contract vulns - out of scope?

: > That is not a good comparison in my opinion. Those third-party 
plugins for
: > WordPress (or Drupal or any other CMS) typically have a vendor page,
: > versions, changelogs, repos, etc. It is extremely rare there isn't
: > provenance on who wrote that code, or where it is/was maintained. 
: > contracts are a very different thing.
: Ok another real world example: I tried to track down all the SSH 
: on the Apple iOS store, I wasn't able to for several of them. Does 
: mean they don't get covered by CVE?

Meaning you know the SSH client exists for iOS, but couldn't find the 
app/vendor on the store? If so, that would be similar to Dormann's 
project, some 23k+ vulnerable apps. Even a week after the disclosure, 
of the apps had been removed from the store. We were able to dig up the 
app/vendor using third-party sites that mirror the Android store to 
information missing in the original disclosure. So in those cases, we 
the software's provenance. If there is an app that completely vanished, 
and no indication it ever existed via Google searches, that is tricky. 
do we even know it was a legit app in the first place, and not malware 
being distributed on a third-party store?

: > "Is it trackable in a meaningful / helpful way" should be a 
: > That is my argument here.
: But it is trackable, and it is helpful. We have the wallet 
: ID's/examples, and in the case of say SoarCoin people know now that 
: provider (Soar Labs) was engaged in some, shall we say shenanigans 
: mean you may want to avoid that coin. That's pretty useful.

Except, we don't. MITRE/CVE/Researchers have not been including the 
contract address in the CVE IDs. That is obviously fixable, and should 
mandatory for any smart contract disclosure, regardless of the outcome 
this thread.

Also, a contract can interact with SoarCoin but have nothing to do with 
the coin otherwise. People using SoarCoin aren't impacted unless they 
interact with the vulnerable contract. So the presence of a dozen 
contracts on Ethereum that are vuln, has no bearing on the security of 
Ethereum itself. We've seen that with 'game' contracts earlier this 
where the vulnerability allowed for badthing that could result in loss 
funds, but only for those playing the game via the contract. Unrelated 
CVE's trackign of these, I wouldn't say it is fair to ding SoarCoin or 
Ethereum for a vulnerability in a third-party contract, just as we 
with WP or Drupal plugins and their main software.


Page Last Updated or Reviewed: July 10, 2018