So I am currently working on a project using bitcoin. I started with a full node that I tried to secure following the best practices available online.
Then, I set up an electrum server that was connected to the full node and on top of which I linked a software wallet, being most of the time a cold one. In order to follow up this particular server' status, I added it to a notification service provided by this website. And that's when things started to get weird.
I suddently started to see the full node being always 1 to 2 blocks behind the current block height. I then saw 3 connections on average to the electrum server from IP addresses that I didn't own. Finally, I saw that my wallet descriptor has been changed and that the receiving addresses of the wallet have been modified. So everytime I would receive a new transaction, it would generate a new address that was not derived from my private key.
But here is the most interesting part. For testing purpose, I had made an incoming transaction to that wallet, days before, using the first generated address that I will call "A". After I started to have doubts, I went back to verify the list of generated addresses and I couldn't find "A" anymore. It was visualy replaced by a random address "B", with the same transaction but no other information has changed (txid, inputs, outputs...). That list was different from the list I used to see in the wallet.
That's when I came back to the electrum server, seeing new connections every second, from different IP addresses. I thought "I'm being DDOSing". After seeing my full node being always late catching the last block, I was finally sure that I was victim of a sybil attack.
I then started to mitigate the attack by doing some tasks on the wallet, the electrum server and the bitcoin core node. I am not sure if it will be enough but like someone said to me one day, "there are lots of things to consider... and security-wise etc. it's a huge undertaking with lots of risks."
Edit : Adding the following question.
Question : How was it possible for the attacker to change the descriptor and the receiving address of my wallet, through the electrum server? Is there any other vulnerabilities I should be aware of in order to mitigate the risks ?
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments