[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent wave of Smart Contract vulns - out of scope?

: > That is not a good comparison in my opinion. Those third-party 
plugins for
: > WordPress (or Drupal or any other CMS) typically have a vendor page,
: > versions, changelogs, repos, etc. It is extremely rare there isn't
: > provenance on who wrote that code, or where it is/was maintained. 
These
: > contracts are a very different thing.
: 
: Ok another real world example: I tried to track down all the SSH 
clients 
: on the Apple iOS store, I wasn't able to for several of them. Does 
that 
: mean they don't get covered by CVE?

Meaning you know the SSH client exists for iOS, but couldn't find the 
app/vendor on the store? If so, that would be similar to Dormann's 
Tapioca 
project, some 23k+ vulnerable apps. Even a week after the disclosure, 
many 
of the apps had been removed from the store. We were able to dig up the 
app/vendor using third-party sites that mirror the Android store to 
pull 
information missing in the original disclosure. So in those cases, we 
have 
the software's provenance. If there is an app that completely vanished, 
and no indication it ever existed via Google searches, that is tricky. 
How 
do we even know it was a legit app in the first place, and not malware 
being distributed on a third-party store?

: > "Is it trackable in a meaningful / helpful way" should be a 
requirement.
: > That is my argument here.
: 
: But it is trackable, and it is helpful. We have the wallet 
: ID's/examples, and in the case of say SoarCoin people know now that 
the 
: provider (Soar Labs) was engaged in some, shall we say shenanigans 
that 
: mean you may want to avoid that coin. That's pretty useful.

Except, we don't. MITRE/CVE/Researchers have not been including the 
contract address in the CVE IDs. That is obviously fixable, and should 
be 
mandatory for any smart contract disclosure, regardless of the outcome 
of 
this thread.

Also, a contract can interact with SoarCoin but have nothing to do with 
the coin otherwise. People using SoarCoin aren't impacted unless they 
interact with the vulnerable contract. So the presence of a dozen 
contracts on Ethereum that are vuln, has no bearing on the security of 
Ethereum itself. We've seen that with 'game' contracts earlier this 
year, 
where the vulnerability allowed for badthing that could result in loss 
of 
funds, but only for those playing the game via the contract. Unrelated 
to 
CVE's trackign of these, I wouldn't say it is fair to ding SoarCoin or 
Ethereum for a vulnerability in a third-party contract, just as we 
don't 
with WP or Drupal plugins and their main software.

Brian
Page Last Updated or Reviewed: July 10, 2018