Vulnerability
This release contains a bug fix for an issue discovered by a Trail of Bits audit of the ethstaker fork of this repo. Earlier versions of the Wagyu Key Gen GUI are also vulnerable.
Keystore files generated with earlier releases of this tool are vulnerable to be decrypted without the need for a password if many keystores were generated at once. The attack becomes exponentially easier the more keys generated. If you generated a few keys, then it appears you’re safe as the current research indicates significant compute would be required. However, if you generated a large number of keystores in a single run of the CLI, you should treat the keystores as if they are unencrypted.
An attack requires access to multiple keystores that were generated simultaneously, so if your keys have only been stored locally, or you did not generate a large number, it appears you are not susceptible.
If you think you could be vulnerable to such an attack, you have two options depending on your circumstances:
-
If your keystores have not been exposed to the public internet, then you can re-derive your keystores from your mnemonic using this or a later version of this tool. Delete all existing copies of your old keystores, make sure your validator signing keys have been removed from your Validator Client and import your new keystores. Exercise extreme caution to ensure to remove your old keys from your Validator Client before importing the new versions as there is a risk of being slashed otherwise.
-
If you think your keystores have been exposed to the public internet or parties you do not trust and you generated many keys, you will need to exit and withdraw your current validators, derive new keys from a new mnemonic, and re-deposit as new validators.
Changelog
- Patch vulnerability with multiple keystores
- #378 - Update Holešky fork-version for relaunch
- #401 - Update python, packages, & OS versions
- #425 - Bumps cli-version 2.7 -> 2.8
- #426 - Update to the latest testnet chain configs
Platform | Compressed file | SHA256 Checksum |
---|---|---|
Linux amd64 | staking_deposit-cli-948d3fc-linux-amd64.tar.gz | ef021252abd2591ef6d3558fb3258b35f478c20333f2dff4a17cc79b573c3879 |
Linux arm64 | staking_deposit-cli-948d3fc-linux-arm64.tar.gz | a30f09303443113987bd72100d9dfeac3113dbe8cfcfa57381135cc78dff8726 |
macOS arm64 | staking_deposit-cli-948d3fc-darwin-arm64.tar.gz | 8cdaeeedc864c79dcdaf52789820d98abab9ffdf1cdc0143ebad3c41aceca320 |
Windows amd64 | staking_deposit-cli-948d3fc-windows-amd64.zip | 9ed40c28c899c4e979ed037e9ce4d0595d21d5e3541ab76dcdf9d17459eea26d |