Sui对我透露的几乎40%的验证者面临风险的情况置之不理。
我开发了一个名为 PGDN.ai 的工具,旨在分析 DeFi/L1 网络中的配置错误、CVE(公共漏洞和暴露)、暴露的服务等。我从 Sui 开始,因为我在那儿有一个联系人。我对这个大型链并没有太高的期望,但我发现的情况却是<i>惊人</i>。
- 几乎 40% 的验证者存在严重的配置错误:开放的 SSH、CVE、默认服务、没有防火墙。
- 大多数验证者暴露了确切的 Ubuntu 版本,他们对此毫不在意。
- 我发现多个验证者在 80 端口上使用默认的 Apache 登陆页面,且都有 CVE。他们却说:“这是设计使然!”
- 他们无法区分 RPC 和 HTTP。
- 2375 端口(通常用于 Docker)是开放的,他们实际上对此进行了否认。
为了提供一些背景信息:我曾担任一家加密交易所的首席技术官 4 年,并在安全领域工作了 20 年。正如人们所说,这并不是我第一次经历这样的事情。
当我负责任地披露这些问题时,他们的反应却很奇怪:
“CVE 只有在你知道如何利用它时才会被利用。”
他们把这当作一个“漏洞奖励计划”来处理。我并不是在寻找快速获利的机会,而是想帮助他们。
在我与一位记者交谈后,他们的公关团队甚至告诉我的联系人不要再讨论此事。
最终,我撰写了一份模拟攻击文档:
完整报告(技术性):https://github.com/pgdn-network/sui-network-report-250819
博客(概述):https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed
对我来说,这显示出一个在保护数十亿美元资产的网络中系统性缺乏安全意识的问题。只要有合适的工具,一个有组织的团体就可以轻易地让 Sui 离线。(因此我个人决定出售我所有的 Sui。)
所以我的问题是:这是对安全操作缺乏理解、缺乏真正的关心,还是其他什么原因?我在用我有限的公众“追随者”传播这些信息时遇到了很大困难。任何反馈都将不胜感激!
查看原文
I built a tool called PGDN.ai that analyses DeFi/L1 networks for misconfigurations, CVEs, exposed services, etc. I started with Sui because I had a contact there. I didn’t expect much from one of the largest chains. What I found was <i>wild</i>.<p>- Nearly 40% of validators are running with serious misconfigurations: open SSH, CVEs, default services, no firewalls.
- The majority expose the exact Ubuntu version. They didn’t give a sausage.
- I flagged multiple validators with default Apache landing pages on 80, all with a CVE. They said, "that’s by design!"
- They cannot tell the difference between RPC & HTTP.
- Port 2375 (usually Docker) was open - they actually just denied this.<p>For context: I was CTO of a crypto exchange for 4 years, and have spent 20 years in security. It's not my first rodeo as they say.<p>When I disclosed responsibly, their response was bizarre:<p>'A CVE is only exploitable if you know how to exploit it.'<p>They brushed it off as a "bug bounty". I was not looking for a quick buck, I was looking to help them.<p>After I spoke to a journalist, their comms team even told my contact not to discuss it further.<p>I eventually wrote up a simulated attack doc:<p>Full report (technical): https://github.com/pgdn-network/sui-network-report-250819
Blog (overview): https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed<p>To me, this shows a systemic lack of security hygiene in a network securing billions of $$$. Given the right tools, an organised group could easily take Sui offline. (I am personally selling all my Sui because of this.)<p>So my question: is this lack of secops understanding, lack of genuine concern, or something else? I have really struggled to get this out there with my limited public "followers". Would appreciate any input!