Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Ethereum and uPort is headed into a multi-chain world. As end users are are interacting more and more with Ethereum and multiple chains the risk of monetary loss of users/servers inadvertently transferring value from an address on network X to an address of Y is growing higher and higher.
The Bitcoin protocol uses Base58Check encoding to prevent this, but the ethereum ecosystem has used a raw hex version of the address instead.
As uPort is switching networks and is planning on living in a primarily multi network world we need to solve this issue urgently.
My proposal is inspired by the Base58Check encoding as well as EIP77 but specifies adds a network identifier, which allows us to programmatically extract the network used by an address as well as provide a visual indicator of the network used.
The following items are encoded:
1
Then use base58 encoding of the end result. The end result is fairly complete but still extendible in the future. We could start using simply the network id and replace it with with genesis block hash and other meta data in the future.
This works with ethereum based blockchains, but can easily be extended to use other blockchains or even non blockchain identifiers in the future. It would also be straightforward to add further details specifying which fork etc.
This can be implemented very easily with few dependencies. It would be trivial to use this to add multichain support to uport-lite for example. Thus even allowing (if we want it) the interchange of JWT's verified on different networks.
The following Ethereum hex encoded address 0x00521965e7bd230323c423d96c657db5b79d099f
could be encoded as follows
2nQtiQG6Cgm1GYTBaaKAgr76uY7iSexUkqX
2oDZvNUgn77w2BKTkd9qKpMeUo8EL94QL5V
34ukSmiK1oA1C5Du8aWpkjFGALoH7nsHeDX
9Xy8yQpdeCNSPGQ9jwTha9MRSb2QJ8HYzf1u
It would be trivial to add shard ids, fork descriptors (block number and hash) etc to the address. It would also be trivial to encode other kinds of identities that don't correspond directly to an address on a chain.
> var mnid = require('mnid')
> mnid.encode({
network: '0x1', // the hex encoded network id or for private chains the hex encoded first 4 bytes of the genesis hash
address: '0x00521965e7bd230323c423d96c657db5b79d099f'
})
'2nQtiQG6Cgm1GYTBaaKAgr76uY7iSexUkqX'
> mnid.decode('2nQtiQG6Cgm1GYTBaaKAgr76uY7iSexUkqX')
{ network: '0x1',
address: '0x00521965e7bd230323c423d96c657db5b79d099f' }
// Check if string is a valid MNID
> mnid.isMNID('2nQtiQG6Cgm1GYTBaaKAgr76uY7iSexUkqX')
true
> mnid.isMNID('0x00521965e7bd230323c423d96c657db5b79d099f')
false
> mnid.isMNID('1GbVUSW5WJmRCpaCJ4hanUny77oDaWW4to')
false
> mnid.isMNID('QmXuNqXmrkxs4WhTDC2GCnXEep4LUD87bu97LQMn1rkxmQ')
false
Bitcoin's encoding consists of the following 3 items:
The whole thing is base58 encoded for compactness and URL safety.
The version prefix allows humans to visually recognize the address type from the first couple of characters. The error checking code ensures that there aren't any obvious errors in hte address
A previous attempt at solving this for ethereum is found in EIP 77 which is similar to Base58Check:
FAQs
Multi Network Identifier - Blockchain Address Encoding
The npm package mnid receives a total of 19 weekly downloads. As such, mnid popularity was classified as not popular.
We found that mnid demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.