MultiversX Tracker is Live!

I think I was victim of a sybil attack

Bitcoin Stack Exchange

Bitcoin News / Bitcoin Stack Exchange 176 Views

So I am currently working on a project using bitcoin. I started with a full node that I tried to secure following the best practices available online.

Then, I set up an electrum server that was connected to the full node and on top of which I linked a software wallet, being most of the time a cold one. In order to follow up this particular server' status, I added it to a notification service provided by this website. And that's when things started to get weird.

I suddently started to see the full node being always 1 to 2 blocks behind the current block height. I then saw 3 connections on average to the electrum server from IP addresses that I didn't own. Finally, I saw that my wallet descriptor has been changed and that the receiving addresses of the wallet have been modified. So everytime I would receive a new transaction, it would generate a new address that was not derived from my private key.

But here is the most interesting part. For testing purpose, I had made an incoming transaction to that wallet, days before, using the first generated address that I will call "A". After I started to have doubts, I went back to verify the list of generated addresses and I couldn't find "A" anymore. It was visualy replaced by a random address "B", with the same transaction but no other information has changed (txid, inputs, outputs...). That list was different from the list I used to see in the wallet.

That's when I came back to the electrum server, seeing new connections every second, from different IP addresses. I thought "I'm being DDOSing". After seeing my full node being always late catching the last block, I was finally sure that I was victim of a sybil attack.

I then started to mitigate the attack by doing some tasks on the wallet, the electrum server and the bitcoin core node. I am not sure if it will be enough but like someone said to me one day, "there are lots of things to consider... and security-wise etc. it's a huge undertaking with lots of risks."

Edit : Adding the following question.

Question : How was it possible for the attacker to change the descriptor and the receiving address of my wallet, through the electrum server? Is there any other vulnerabilities I should be aware of in order to mitigate the risks ?


Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments