Stealing LSK by Exploiting Cryptography Flaws, LiskHQ Answers to The Concerns
Few days ago popped up the Kudelski Security’s blog post entitled “Blockchains: How to Steal Millions in 264 Operations” and with direct reference to Lisk technology.
The author affirmed that he was able to hijack certain Lisk accounts and steal all their balance after only 264 evaluations of the address generation function (a combination of SHA-256, SHA-512, and a scalar multiplication over Ed25519’s curve).
He tested the attack by creating an account using a passphrase then hijacking the account using the second passphrase, so finding two passphrases referred to the same address (a collision).
The issue was already public and also the solution to mitigate it was publicly disclosed in the December Security update: Lisk’s Holiday Security Reminder
In addition, community’s and Lisk team’s responses in a Reddit post confirmed that the situation is under control. The Reddit user “Someliskguy” stated:
I’m pretty sure this was mitigated in https://github.com/LiskHQ/lisk/issues/10, is why the old web wallet was discontinued, and why all official lisk software and wallets now use lisk-js, which doesn’t send your private key.
And also Max Kordek, CEO at Lisk, claimed:
Confirmed. Additionally, with 1.0.0 we are changing the whole API and remove all insecure endpoints like the ones mentioned.
If you check here the new API is already all done and finished: https://github.com/LiskHQ/lisk/projects/6
This stems from Crypti times. We didn’t design it, however, we see the flaws and are in the process of fixing them once and for all.
Every single Cryptocurrency needs an outgoing transaction to embed the public key to its address. Only in the cases of Lisk and Nxt this is more important because the addresses have less entropy. With our new address system it will be of the same importance like with Bitcoin, i.e. not very important.
Lastly, IkerLisk proved why some numbers written in the article are based on several wrong assumptions and in reality it is much more difficult to complete the mentioned attack. Here you can read the full explanation.
Lisk Magazine is a project supported by Lisk Italian Group.