Special thanks to 0xTEAM for discovering the vulnerability.

We would like to inform our users about a potential security threat pertaining to a dusk.network subdomain, which would have allowed a malicious actor to take over the sub-domain and deploy a fake website. 

No user funds were lost and the vulnerability was unrelated to the development of Dusk’s code, blockchain, smart contracts, or technology. As such it has no impact on the timelines for mainnet, but does highlight the importance of meticulously reviewing all infrastructure related to the project, including the website. 

Key Points

• The vulnerability was found in a sub-domain of the dusk.network website
• A malicious actor would have been able to create and successfully deploy a bogus website on the subdomain, thus creating a vehicle for scams and phishing attempts against users and token holders
• The 0xTeam promptly alerted us to this fact, and we immediately and successfully remedied the situation

Who is affected?

No one. This vulnerability has been fixed and had no impact on token holders or investors. 

The future

Best practices to counter attack surfaces of this kind include leveraging pentesting and recon tools to identify similar threats. We will be doing a thorough and meticulous review of all Dusk infrastructure and will make it a priority to ensure that everything involved in the Dusk ecosystem is reviewed and well-maintained.

We are very thankful to the 0xTeam for making us aware of this vulnerability and are grateful to the wider security and white hat community too for the work they do in securing the space. 

Although we do not currently have a bug bounty program, we will certainly create an extensive one in the near future, when we are ready to transition toward the auditing, testing, and security assessment phases of our roadmap.

We have also written about vulnerability disclosure in this piece by Hein Dauven, if you are interested in this topic, as well as a recent podcast with blockchain auditors Oak Security.