Security Alert 🚨: Ethereum Staking Keystore Vulnerability
At Blockops Network, we are committed to ensuring the security and integrity of tools and services used by our customers.
Following a recent security audit performed by Trail Bits on eth-staker-deposit-cli, we’re sharing details about the vulnerability detected, its potential impact and actionable steps you can take to protect your staking setup
Incident Overview
Severity: High
Source: https://discord.com/channels/694822223575384095/749027200837353512/1311004134635212831
Timeline and Impact
Timeline of Report: 26th November, 2024 4:03PM WAT
Reported by: remyroy(github) on the EthStaker Discord Channel
Who’s Impacted: Solo stakers using staking-deposit-cli (versions <= 2.7.0), ethstaker-deposit-cli (versions <= 0.5.0), & Wagyu Key Gen (versions <= 1.10.0)
What Happened?
A flaw was identified in eth staking key generation tools — specifically in ethstaker-deposit-cli, staking-deposit-cli, and Wagyu Key Gen. These tools are designed to generate validator keys and encrypt them securely.
However, older versions contained a subtle but serious weakness in their encryption mechanisms.
Technical Breakdown (In Simple Terms):
When you create validator keys, the encryption mechanism creates an “impenetrable” tightly sealed vault with a unique lock that only you can open, Unfortunately, older versions of these tools didn’t create as secure a lock as they should have been, instead the lock was more generic making it easier for someone motivated enough and with the right tools to break into this vault.
Potential Impact
While the vulnerability does not directly compromise funds, it could potentially result in:
Unauthorized Key Access: Weak encryption might allow attackers to decrypt private keys if multiple keystore files are obtained.
Validator Slashing: A malicious actor with access to your keys could cause double-signing incidents, which may result in penalties to your validator.
Compromised Keystore Integrity: Key files generated under these conditions may not meet security best practices.
The Real-World Risk
The vulnerability means that if someone gets their hands on multiple keystore files you generated in a single session, they might — with enough computing power — crack the encryption and access your validator’s private keys.
Root Cause Analysis
The vulnerability was uncovered by Trail of Bits during a comprehensive security assessment of the ethstaker-deposit-cli. The core issue lies in the improper initialization of cryptographic parameters within the keystore.py
encrypt
function.
Read here for more technical details: https://github.com/eth-educators/ethstaker-deposit-cli/security/advisories/GHSA-c6rv-g6pj-r6qx
Corrective Actions and Mitigation Strategies
To address this vulnerability, immediate steps have been taken:
Patch releases for all affected tools
Provide clear guidance for users on key regeneration
Incident Response Checklist
[ ] Identify all systems using vulnerable versions
[ ] Immediately update to patched versions
[ ] Review and secure existing keystore files
[ ] Regenerate keystores using patched tools if potential compromise is suspected
[ ] Communicate vulnerability status to stakeholders
[ ] Document and log all remediation actions
Recommendations for Solo Stakers
Keep your key generation tools updated, upgrade your key generation tools to the latest versions: ethstaker-deposit-cli v0.6.0, staking-deposit-cli v2.8.0, Wagyu Key Gen v1.11.0
If you generated 2+ keystores in a single run, consider verifying your mnemonic seed and wiping existing keystore backups
Regenerating keystores with updated tools
Additional Resources
Security Advisory: https://github.com/eth-educators/ethstaker-deposit-cli/security/advisories/GHSA-c6rv-g6pj-r6qx
GitHub Issue Reference: https://github.com/eth-educators/ethstaker-deposit-cli/issues/238