On the 29th of November 2022, the Secret Network announced on Twitter, that they have successfully resolved a major vulnerability that was discovered by white hat hackers.
NOTICE: Secret Network has successfully resolved a reported network vulnerability by whitehat researchers. No user funds were ever at risk – including now – and no action is required from anyone 👍
Please read our full disclosure on the Secret Blog: https://t.co/HeCqQVshuy
— 𝕊ecret Network 🤫⚡️ (@SecretNetwork) November 29, 2022
Andrew Miller and his team evaluated the Secret Network to check for vulnerabilities and Aepic leaks. In the end, they were able to access the master decryption key utilized by the whole Network. This points to an SGX failure on the Network.
Due to the long update timelines and the difficulty of manually updating the project’s platform, projects like the Secret Network had to choose between security and usability. This is a difficult trade-off to make especially for a web3 blockchain project that is all about privacy and security.
The Secret Network allows users to customize their privacy settings. Allowing them to determine what they would share to whom and how. This allows users and developers to protect themselves from potential scams and hacks.
It keeps the details of the smart contracts encrypted from even the nodes in the Network hiding all the input, state, and output data. This allows users to spend, save, and trade with absolute control over their data. The aim is to properly balance transparency and privacy, in a way that would allow the crypto industry to gain widespread adoption.
The technical aspect of the Secret operation is thus. First, Secret stores a private key within the Network validator’s enclave. This key has two components, the public component that users utilize to encrypt their messages and send them across the Network. And the private component within the enclave that It uses to decrypt the messages, then updates the content and posts’ the encrypted data on the chain.
Since the Network runs on encrypting smart contract data, the ability to access its master decryption key gives that person access to deanonymize every single transaction conducted on this Secret Network chain, from its inception till now. And it would be impossible for the Network to prevent this.
The team, utilizing a xApic vulnerability, was able to set up a Pulsar-2 test transaction decrypter, which they used to obtain the master decryption keys of both the mainnet and testnet.
With such findings, they then collaborated with the Secret Network and were able to build and deploy preventive measures for future eventualities.
Yet it is unknown if such an attack has been attempted in the past and been successful. It’s also unknown if any active nodes at the time had successfully defended against such an attack, but users are advised to evaluate their exposure level from past activities.