Cryptocurrency markets traded near all-time highs in early May 2024, with Bitcoin hovering around $62,889 and Ethereum changing hands at $3,103. Yet beneath the surface of a buoyant market, cybersecurity researchers at dWallet Labs quietly disclosed a vulnerability that could have resulted in losses exceeding one billion dollars across multiple Proof-of-Stake blockchains.
The discovery, published on May 3, 2024, exposed fundamental weaknesses in how validator infrastructure provider InfStones managed private keys for hundreds of blockchain nodes. What made the finding particularly alarming was that the attack vector required nothing more sophisticated than basic Web2 security exploitation techniques — the same methods that have plagued traditional cloud computing for years.
The Exploit Mechanics
dWallet Labs began their investigation by examining the Sui blockchain network. After discovering an API call that listed active validators, they identified an open port — 55555/tcp — managed by InfStones, a major validator infrastructure provider serving multiple blockchain networks.
This open port led to an open-source tool called Tailon, which provides file reading and log monitoring capabilities. More critically, the researchers discovered a remote code execution (RCE) vulnerability within Tailon that granted them root-level privileges on the affected servers. Root privilege represents the highest level of access on a computer system, enabling unrestricted control over all files, commands, and system resources.
Using Censys, a search engine for Internet-connected devices, the researchers identified approximately 115 potentially vulnerable servers. By creating an account on InfStones, they discovered an API proxy that exposed usernames and passwords in cleartext, providing access to all servers in the infrastructure.
Affected Systems
The scope of the vulnerability was staggering. dWallet Labs ultimately demonstrated that poor server configuration enabled them to execute commands with root privileges on over 450 servers, a significant portion of which were running blockchain validators across multiple major networks.
The researchers further discovered AWS credential files on every server they examined. These credentials not only had read access to S3 buckets containing blockchain network binaries but also had write access. This meant an attacker could theoretically replace legitimate binaries with malicious versions, compromising every new node created through the platform.
At minimum, the researchers estimated that 1.2% of Ethereum total stake could have been stolen through the theft of validator private keys. Given Ethereum market price of approximately $3,103 at the time, this represented a potential loss running into hundreds of millions of dollars from Ethereum alone.
The Mitigation Strategy
dWallet Labs responsibly disclosed the vulnerability to InfStones before publishing their findings. The disclosure followed established protocols in the cybersecurity community, giving the infrastructure provider time to patch the affected systems and secure their validator nodes.
The mitigation required multiple layers of fixes. First, the open ports exposing Tailon and other management interfaces needed to be closed or properly secured behind authentication barriers. Second, the practice of storing AWS credentials with write access on individual servers needed to be replaced with a more secure secrets management approach. Third, the API proxy exposing credentials in cleartext required immediate remediation.
For the broader blockchain ecosystem, the incident highlighted the critical importance of auditing third-party infrastructure providers. Protocols that rely on external validators must verify that their partners meet rigorous security standards, not just for blockchain-specific threats but for fundamental Web2 security hygiene.
Lessons Learned
The InfStones vulnerability served as a stark reminder that blockchain security extends far beyond smart contract audits and consensus mechanisms. The weakest link in a Proof-of-Stake network can be the traditional IT infrastructure supporting its validators.
Key takeaways include the critical need for regular penetration testing of validator infrastructure, mandatory security audits for all third-party infrastructure providers, implementation of hardware security modules for private key management, and network segmentation that isolates validator operations from general server management tools.
The researchers noted that a sophisticated attack group, such as state-sponsored actors, could have methodically collected private keys over an extended period before executing a coordinated attack — a scenario they described as waiting for judgment day.
User Action Required
For institutional stakers and delegators, this disclosure underscores the importance of due diligence when selecting validator providers. Users should inquire about their validators security practices, including penetration testing schedules, key management procedures, and infrastructure security certifications. Individual stakers should consider diversifying across multiple validators and infrastructure providers to minimize concentration risk.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
an open port 55555 running Tailon on a validator node and nobody noticed until researchers stumbled on it. billion dollar exposure from a basic web2 misconfig. wild
^ the scary part is dWallet Labs only found it by accident while mapping Sui validators. how many other providers have the same issue and nobody looked
port 55555 running a file manager on a production validator. billion dollar staking operations and the opsec was worse than my home NAS setup
InfStones was running hundreds of nodes with shared key management? thats not infrastructure, thats a single point of failure wearing a trench coat
trench coat is the most accurate description of validator infrastructure ive ever seen. shared key management across hundreds of nodes is not decentralization
this is why i keep telling people to run their own validators. delegating to providers like InfStones means trusting their ops team with your entire stake