Secret Network says it resolved risk from Intel hardware vulnerability

Quick Take

  • The developers of Secret Network have resolved a vulnerability related to its use of Intel hardware.
  • Security researchers flagged a vulnerability in Intel SGX chips used by Secret for privacy.

The developers of Layer 1 blockchain Secret Network said they resolved a security issue flagged by researchers who highlighted a vulnerability posed by Intel hardware the network used to enable privacy-preserving smart contracts. 

Secret’s promised privacy apps may have been compromised due to a vulnerability in certain Intel SGX chips called xAPIC or ÆPIC Leak.

Intel SGX chips are commonly used by software firms for privacy computing. Secret’s blockchain nodes also use them to encrypt data in a software setup called a “trusted execution environment(TEE).” However, the presence of xAPIC vulnerability also meant hackers could potentially snoop on systems depending on SGX. To prove the risk faced by Secret, the researchers extracted a “consensus seed” to decrypt all private transactions on the Secret blockchain. 

“We evaluated TEE-based blockchain Secret Network to see if it was susceptible to ÆPICLeak, and ended up finding the master decryption key for the whole network,” said Andrew Miller, a lead researcher of the report and Assistant Professor at the University of Illinois, Urbana-Champaign.

The researchers showed that it was possible that a malicious hacker could have also obtained all the transactional history on the network, contrary to Secret’s promise of full privacy. 

No funds at risk

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

In a blog post, SCRT Labs, the developer of Secret Network, claimed that no such incident related to a privacy leak had taken place, to the best of its knowledge — adding the hardware vulnerability only affected the privacy of data stored on Secret Network not used to determine the consensus of the blockchain. 

“Most importantly, funds were never at risk, because Secret intentionally does not rely on SGX for correctness – only privacy,” Guy Zyskind, CEO at SCRT Labs said.

The researchers first notified SCRT Labs of the vulnerability on Oct. 3. SCRT Labs acted to freeze new nodes to connect to the network to limit the exposure of the vulnerability. 

Later, the blockchain firm worked with Intel to develop a patch to prevent vulnerable machines from connecting to the network. This solution was deployed on Nov. 2 via a network upgrade and now the network is secure, it said. “With this upgrade, it is now infeasible to mount xAPIC attacks against the Secret Network mainnet,” SCRT Labs claimed.

SCRT Labs said that it delayed the disclosure of the vulnerability to prevent any malicious hacker from exploiting the vulnerability while it worked on the patch.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]

Editor

To contact the editors of this story:
Larry DiTore at
[email protected]
Adam James at
[email protected]