Secret Network Crypto Transactions Not So Secret After All

Secret Network was supposed to keep transactions private, but researchers warn there’s no telling how many people have decrypted them

by Sebastian Sinclair /
article-image

Source: Shutterstock

share

Privacy-focused protocol Secret Network — intended to be anonymous and confidential — has disclosed a security vulnerability that threatened to reveal user transaction histories.

The bug, discovered by researchers from the University of Illinois Urbana-Champaign in October, allowed extraction of a so-called “consensus seed,” effectively a master decryption key for Secret Network.

“Exposure of the consensus seed would enable the complete retroactive disclosure of all Secret-4 private transactions since the chain began,” the team said. SCRT Labs, the group behind the blockchain’s development, patched the vulnerability earlier this month.

The attack vector involved exploiting flaws in Intel’s Software Guard Extension (SGX). SGX is a set of security-related instruction codes built into some Intel central processing units (CPUs), including their latest 10th, 11th and 12th-generation chips. 

The SGX bugs first became public knowledge in early August, and the researchers say they also discovered related flaws in video software PowerDVD. 

Secret Network, backed by scandal-ridden firms Alameda Research and Terraform Labs, runs on delegated proof-of-stake consensus, a method first utilized by EOS. The protocol is considered somewhat of a competitor to other privacy-centric networks such as Monero and Zcash, albeit with a much smaller market capitalization around $150 million (compared to $2.5 billion and $550 million).

Unlike Bitcoin and Ethereum, which allow anyone with the right equipment (and in the latter’s case, enough ether) to join the network, Secret Network token holders select 50 trusted third parties to maintain specialized validating nodes that keep the blockchain flowing.

But the researchers didn’t have to become fully-fledged network validators to exploit the bug. They were able to extract their Secret Network master key by running a full node (which anyone can do) with a machine powered by the vulnerable processors. 

Full nodes download a complete copy of the blockchain onto the related machine, and in Secret Network’s case, a “sealed consensus seed” along with it.

Secret Network node software uses what’s known as a trusted execution environment (TEE). These are secure regions of a main processor that only certain trusted devices, codes, or applications can access. The researchers were able to exploit this part of Secret Network’s stack, alongside Intel’s SGX, to decrypt the sealed consensus seed and thus reveal all private transactions on the protocol’s ledger.

Loading Tweet..
Tom Yurek, part of the discovering team, discusses the bug on Twitter

Secret Network users urged to reconsider their operational security

SCRT Labs has assured users that to the best of its knowledge, no malicious actor had exploited the vulnerability in the wild prior to it being patched.

The researchers, however, have stated there’s no way to know for certain whether the attack had been executed previously.

SCRT said it held off releasing details of the bug due to a mutual agreement between itself, Intel and the researchers to mitigate potential for the vulnerability to be exploited, a common move in software development.

In any case, the team that discovered the flaw have urged “privacy-conscious” users to reassess their online footprints, considering that their past “secret” transactions may be exposed.

“SCRT Labs ‘fixed’ it now, but all past transactions are compromised,” the team said. Secret Network’s native token has remained relatively steady since the disclosure, only dropping around 2%, although it’s already collapsed 85% in the year to date alongside swathes of other crypto projects.

The researchers break down the attack into two phases: Prepare and Exploit | Source: SGX.fail

New Secret Network nodes are currently limited to “server-class” hardware while SCRT has vowed to ratchet security-focused features for the network. The stewards also said they would strengthen their communications with Intel to ensure users receive early warning of future undisclosed vulnerabilities.

Funds on Secret Network are considered safe (only the confidentiality of the network has been compromised, not user private keys). The researchers noted the most concerning application of the attack is bulk surveillance of Secret users’ personal finances.

There was still opportunity to front-run DeFi applications and breach private metadata tied to NFTs deployed on the network. “Any digital assets that rely on private metadata, such as NFTs exchanging secret authentication keys, would be at risk of theft,” they wrote.

David Canellis contributed reporting.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Unlocked by Template.jpg

Research

Bitcoin Expressivity with BitcoinOS

The BitcoinOS team is the first to have developed and posted a ZK-compressed proof on the Bitcoin network. Other proof verification efforts have been limited to the Signet or testnet deployments. Their work has resulted in the development of BitSNARK, a software library for ZK-compressed fraud proofs on the Bitcoin network. The project aims to provide a horizontal scaling solution, offering a one-stop shop for teams interested in developing a rollup on Bitcoin. This approach shares similarities with the horizontal tech stack scaling in other ecosystems like Cosmos and Optimism, particularly in its focus on simplified verification, bridging standards, and lightweight interoperability.

by 0xMims

/

news

article-image

Analysis

Crypto monthly active addresses are hitting all-time highs: A16z

A16z’s State of Crypto report shows that DeFi has the largest number of daily active addresses, with stablecoins following closely behind

by Katherine Ross /
article-image

DeFi

Conduit sees path to gigagas throughput with new sequencer

G2 is delivering real-world performance breakthroughs at 50-100 Mgas/s, Conduit says

by Macauley Peterson /
article-image

Analysis

Memecoin conceived by AI trumps Trump-linked token sale

World Liberty Financial’s token sale debuted just as an absurd AI-fueled memecoin captured crypto’s attention

by David Canellis /
article-image

Empire Newsletter

World Liberty Financial’s presale overshadowed by memecoin-shilling AI

Plus, would crypto be better out of the limelight?

by Katherine Ross&David Canellis /
article-image

Policy

Coinbase continues with SEC lawsuit over denied FOIA request 

Coinbase hired History Associates in 2023 to assist in retrieving records from the SEC and FDIC

by Casey Wagner /
article-image

Forward Guidance Newsletter

VP Harris’s latest crypto comments fall short on details

Hours after pledging to support Black men’s rights to safely invest in crypto, VP Harris’s Monday night speech mentioned blockchain zero times

by Casey Wagner&Ben Strack /