Ben Adamsky 💭
@ba
Update on today's incident: We've identified a critical vulnerability in our withdrawal API, where there was an exploit that allowed unauthorized withdrawals to bypass our security checks. We've frozen withdrawing funds on smart wallets until this is fully resolved. Most importantly - all smart contracts, admin wallets, and user smart wallets remain fully secure and uncompromised The root cause was an authentication spoofing technique in our API routes due to architectural constraints within our auth system. We've learned a lot from this exploit and are implementing more robust security measures to prevent a situation like this from ever happening again. All affected users will be refunded this week
11 replies
24 recasts
84 reactions
vishal
@vmathur
any more detail you can provide on the authentication spoofing? I want to make sure all my future mini apps/contracts are secure cc @cojo.eth
2 replies
0 recast
2 reactions
Ben Adamsky 💭
@ba
From what we've gathered it looks like: 1. Someone reverse engineered our public endpoints 2. Was able to map fids against our own internal user ids on one of our public routes 3. Exploited a weak check that looked for wallets against internal user ids in our withdraw route Nothing regarding SIWF was compromised
1 reply
0 recast
1 reaction
vishal
@vmathur
Thanks for sharing and sorry to hear. Excited for the security changes you made and to continue using ponder!
1 reply
0 recast
1 reaction
Ben Adamsky 💭
@ba
Appreciate it 🙏
0 reply
0 recast
0 reaction
