🧀 How many slices of Swiss cheese would the community like in their ckERC20 sandwich? Also, ICP Giveaway

Good effort everyone who searched for the Easter Egg! I can confirm that nobody found it, though @ckMood came close with his mention of hashes.

The Easter Egg is located in this post on that thread. Expand the details section of that post (‘Here’s a slightly more detailed description of my concerns’). The hash that’s quoted in that section is intentionally inaccurate. It’s not the same as the hash for the WASM that the canister was running at the time (which can be verified by following the link that I provided right next to the disguised hash). The hashes look similar, but they’re not the same. The bold sections in the hash below highlight all the parts that were wrong.

  • 658c5786cf89ce77a0bb3b17fe855c30f00171de0dc946cc463c9f19c348cb5e

This hash has been sitting there for over a week. It was able to hide in plane sight:

  • despite attention being drawn to it (this topic has been top 2 on this forum for the last 2 days)
  • despite readers being instructed to look for something out of the ordinary
  • despite being offered financial reward
  • and despite the hints.

This hash was able to hide so effectively because it looks practically identical to the human eye, and because nobody was expecting it to be different. It takes computational resources to get a hash to look very similar, but it’s certainly possible and a realistic danger if there’s money to be made.

:scream: This is my fear in a nutshell. Build verification isn’t necessary for these sorts of proposals. In my opinion this significantly increases the chances that a nefarious WASM may not get spotted if an attacker picks the right moment to submit a proposal (amidst a swarm of other similar proposals that are all legit).

Sure, verification tools can help. But this attack vector simply doesn’t need to be here for canister configuration updates. Dynamic dispatch could be used to allow a single NNS function to pass a config payload to an arbitrary update function on the canister (specified in the proposal).

If you’d like to see this attack vector removed please consider upvoting, sharing, and commenting on this thread to make it clear that you agree (if you’ve not done so already). If you disagree, please also share your opinion so that we can see the complete picture of community sentiment.

Thanks for taking part everybody!

5 Likes