A secret secure(?) communication channel for Ronin Bridge Exploiter and Euler Finance Exploiter
On Mar-21–2023 05:02:23 PM +UTC, Ronin Bridge Exploiter sent a message to Euler Finance Exploiter 2 at Ethereum chain: https://etherscan.io/tx/0xcf0b3487dc443f1ef92b4fe27ff7f89e07588cdc0e2b37d50adb8158c697cea6
Decrypt with the private key of 0xb66cd966670d962c227b3eaba30a872dbfb995db (https://github.com/LimelabsTech/eth-ecies).
The message suggests that there is an encrypted message that has been encrypted using the “Elliptic Curve Integrated Encryption Scheme”. This implies that the public key of the Ethereum address
0xb66cd966670d962c227b3eaba30a872dbfb995db is used to derive the sharing secret for encrypting the message, so only the individual with the private key of the Ethereum address
0xb66cd966670d962c227b3eaba30a872dbfb995db will be able to read the encrypted message.
In addition, Ronin Bridge Exploiter has recommended the decryption tool for Euler Finance Exploiter 2, which is eth-ecies (https://github.com/LimelabsTech/eth-ecies).
However, a Twitter user has raised a concern about the tool’s security (https://twitter.com/hudsonjameson/status/1638240083496038409). They have pointed out that the provided tool may be vulnerable due to its use of a vulnerable dependency, which is the elliptic package (https://security.snyk.io/package/npm/elliptic) with a version
Ronin Bridge Exploiter might try to hack Euler Finance Exploiter 2 (https://twitter.com/officer_cia/status/1638235897438019607).
Thereby, let’s unravel the question: is it possible to derive the private key from Euler Finance Exploiter 2 by just simply encrypting and decrypting the message?
Inspex research team starts to investigate by identifying the issue with the tools that use the
elliptic library and finds out that there are actually 3 issues with the
The issue mentioned is https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899. The detail is that there is no check to confirm whether the public key point passed into the derive function actually exists on the secp256k1 curve. This creates a potential scenario where the private key used in this implementation can be revealed after a number of Elliptic Curve Diffie-Hellman (ECDH) operations have been performed, also known as a “Twist attack”.
By allowing the use of points outside
secp256k1 curve as a public key, the encryption strength of the communication will not be at the same level as when using the
secp256k1 curve. This means the Euler Finance Exploiter 2 might have the private key stolen if they use the vulnerable tool to encrypt the messages and communicate with the Ronin Bridge Exploiter.
What happened inside?
A well-written document for “Twist attack” can be accessed at: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md,
Let’s read the simplified information before going to the attack scenario:
Public Key and Private Key on Elliptic curve
G = A generator point on an elliptic curve
a = Alice's private key
A = Alice's public key which derives from A = a*G
b = Bob's private key
B = Bob's public key which derives from B = b*G
To communicate with encrypted messages, they will have to know the sharing secret to encrypt or decrypt the message. So, one way to exchange the key is by using the Diffe-Hellman algorithm. When the communication between Ronin Bridge Exploiter and Euler Finance Exploiter 2 occurs, the internal encryption and decryption will be as follows:
Exchanging Sharing Secret (Diffie-Hellman)
Alice takes Bob’s public key (B) and computes the point
S (sharing secrets).
S = a*B = a*bG
cipherText = encrypt(S, 'text')
Bob takes Alice’s public key (A) and computes the point
b*A = b*a*G = a*b*G = a*B = S
Now Bob has the same point as Alice (S), so they can use S to decrypt the cipher text.
plainText = decrypt(S, cipherText)
Small subgroup attack
With the points on the elliptic curve as a group structure,
E = corresponding group of the elliptic curve (thinking of it as possible integer values on a formula y^2 = x^3 + Ax + B)
H = a subgroup of E with a few elements (a smaller collection of points from the group)
order number of a group = number of elements of a group.
Let’s say Alice wants to know Bob’s private key. Alice picks the point P in the subgroup H with a very small number of elements (weak encryption strength).
share secret (S) = b*P
cipherText (C) = encrypt(S, 'response text')
Since Alice knows that the point S is in the subgroup H, she can attempt to brute-force decrypt the message C with the points P.
P, 2*P, 3*P, 4*P, ...
Suppose the decryption succeeds with the value k*P. She then knows that S = k*P (mod q) and also S = b*P (mod p), so Alice has now learned that k = b mod q, where q is the order number of the subgroup H (i.e., the number of elements in H). Since b is a number under modulo p, the value k that we’ve got is just a fraction of the information in the original b.
Repeating this by changing the point P to another point from another subgroup would give Alice enough information for the private key if the product of the processed group number is larger than the key size. The private key can then be derived by applying the Chinese Remainder Theorem.
It is possible that the Ronin Bridge Exploiter can obtain Euler Finance Exploiter 2’s private key by using the vulnerable tool. Also, the Euler Finance Exploiter 2 must use their private key to create the sharing secret, as shown in the simplified example below:
- The Ronin Bridge Exploiter sends their new public key, which is a point that exists on an elliptic curve that has lower encryption strength, instead of their public key on the
- The Euler Finance Exploiter derives the shared secret from the sent public key with their private key.
2.1. Euler Finance Exploiter must reply back to Ronin Bridge Exploiter by using the same shared secret to encrypt a message.
2.2 If Euler Finance Exploiter does not use thier real private key to create another sharing secret, the attack will be futile.
- The Ronin Bridge Exploiter provides the new existing point on another subgroup or from another elliptic curve as a public key for the new communication.
- The Ronin Bridge Exploiter calculates a fraction of the information in the private key (k) from each replied message.
- Repeat steps 2–4 until the product of the order number and the calculated subgroup exceeds the key size.
Hence, to prevent this kind of attack,
- When encrypting a message with a particular public key, a user should verify that the given public key (point) is on the correct curve, in this case the secp256k1 curve.
- Don’t use a tool from a stranger, espcially an attacker. Use the latest version of tools.
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.