Skip to content

Bug Patch

Latest
Compare
Choose a tag to compare
@CarlBeek CarlBeek released this 26 Nov 14:21
948d3fc

Vulnerability

This release contains a bug fix for an issue discovered by a Trail of Bits audit of the ethstaker fork of this repo. Earlier versions of the Wagyu Key Gen GUI are also vulnerable.

Keystore files generated with earlier releases of this tool are vulnerable to be decrypted without the need for a password if many keystores were generated at once. The attack becomes exponentially easier the more keys generated. If you generated a few keys, then it appears you’re safe as the current research indicates significant compute would be required. However, if you generated a large number of keystores in a single run of the CLI, you should treat the keystores as if they are unencrypted.

An attack requires access to multiple keystores that were generated simultaneously, so if your keys have only been stored locally, or you did not generate a large number, it appears you are not susceptible.

If you think you could be vulnerable to such an attack, you have two options depending on your circumstances:

  1. If your keystores have not been exposed to the public internet, then you can re-derive your keystores from your mnemonic using this or a later version of this tool. Delete all existing copies of your old keystores, make sure your validator signing keys have been removed from your Validator Client and import your new keystores. Exercise extreme caution to ensure to remove your old keys from your Validator Client before importing the new versions as there is a risk of being slashed otherwise.

  2. If you think your keystores have been exposed to the public internet or parties you do not trust and you generated many keys, you will need to exit and withdraw your current validators, derive new keys from a new mnemonic, and re-deposit as new validators.

Changelog

  • Patch vulnerability with multiple keystores
  • #378 - Update Holešky fork-version for relaunch
  • #401 - Update python, packages, & OS versions
  • #425 - Bumps cli-version 2.7 -> 2.8
  • #426 - Update to the latest testnet chain configs
Platform Compressed file SHA256 Checksum
Linux amd64 staking_deposit-cli-948d3fc-linux-amd64.tar.gz ef021252abd2591ef6d3558fb3258b35f478c20333f2dff4a17cc79b573c3879
Linux arm64 staking_deposit-cli-948d3fc-linux-arm64.tar.gz a30f09303443113987bd72100d9dfeac3113dbe8cfcfa57381135cc78dff8726
macOS amd64 staking_deposit-cli-948d3fc-darwin-amd64.tar.gz 8cdaeeedc864c79dcdaf52789820d98abab9ffdf1cdc0143ebad3c41aceca320
Windows amd64 staking_deposit-cli-948d3fc-windows-amd64.zip 9ed40c28c899c4e979ed037e9ce4d0595d21d5e3541ab76dcdf9d17459eea26d