Resolved Vulnerability Disclosure from the Engineering Workstream

On 06/17/2024 16:46 UTC the Shapeshift DAO engineering workstream was made aware of a vulnerability that was reported via our responsible disclosure program facilitated by HackenProof. This vulnerability allowed an attacker to inject arbitrary URL paths into one of our market data APIs that would then be requested on the host and results returned to the user. These paths could either be external sites or local network paths on the host machines, allowing the attacker unintended access to the internal network.

The Shapeshift DAO workstream identified the validity of the report within 11 minutes, a root cause within 34 minutes and a full mitigation was released 46 minutes after the initial report was presented to the workstream. We have additionally performed audits of the rest of our code base to ensure this same bug is not present elsewhere and rotated any credentials that could have been exposed.

While no user funds were at risk since we are a non custodial platform we do believe this represents a critical vulnerability in our system and per the terms of our responsible disclosure program have awarded the researcher $7,500. We very much appreciate the disclosure and the efforts of the security community to help make the ecosystem as a whole safer.