Stealing LSK by Exploiting Cryptography Flaws, LiskHQ Answers to The Concerns

Few days ago popped up the Kudelski Security’s blog post entitled “Blockchains: How to Steal Millions in 2⁶⁴ Operations” and with direct reference to Lisk technology.

The author affirmed that he was able to hijack certain Lisk accounts and steal all their balance after only 2⁶⁴ evaluations of the address generation function (a combination of SHA-256, SHA-512, and a scalar multiplication over Ed25519’s curve).
He tested the attack by creating an account using a passphrase then hijacking the account using the second passphrase, so finding two passphrases referred to the same address (a collision).

The issue was already public and also the solution to mitigate it was publicly disclosed in the December Security update: Lisk’s Holiday Security Reminder
In addition, community’s and Lisk team’s responses in a Reddit post confirmed that the situation is under control. The Reddit user “Someliskguy” stated:

I’m pretty sure this was mitigated in https://github.com/LiskHQ/lisk/issues/10, is why the old web wallet was discontinued, and why all official lisk software and wallets now use lisk-js, which doesn’t send your private key.

And also Max Kordek, CEO at Lisk, claimed:

Lastly, IkerLisk proved why some numbers written in the article are based on several wrong assumptions and in reality it is much more difficult to complete the mentioned attack. Here you can read the full explanation.

 

———————————————-
Lisk Magazine is a project supported by Lisk Italian Group.