zengo-wallet-challenge

About

Repository for all OSINT and code relating to ZenGo Wallet Challenge #ZengoWalletChallenge. All information and code in this repository is CC0 licensed. Do with it what you wish, add a PR if you like, and if you break the wallet consider giving back some sats ;)

Dates: 9 to 28 January 2024

Status: Ongoing

Conditions ZenGo White Hat Conditions apply

Official HINTS

• Hint #1: The Email Address associated with this wallet is [email protected]
• Hint #2: The email address associated with the Recovery File Cloud Backup is: [email protected]

[ADD SCREENSHOT]

• no DoS / DDoS
• no social engineering (phishing, vishing, smishing)
• no SSL/TLS config attacks on server
• yes RCE on server
• yes to SQL injection

Out of Scope:

• Previously known vulnerable libraries without a working proof of concept
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)

Confirmed by Zengo team via Twitter on 14 Jan

Personal Commitment to how funds will be used

Essential Links

OSINT - START HERE

CODE - START HERE

OSINT - Certik blog - Fortifying ZenGo: Unearthing and Defending Against Privileged User Attacks (4/4/2023)

ZenGO

ZenGo Challenge webpage

Reddit AMA Launch

Twitter Thread by ZenGo

Twitter Spaces Launch

Twitter Space with Certik

BTC address: 3NB5gbyhCQM92WUpHxfpK7PqC1KKTAYwpK

ETH address: 0x3ceb6a3eeb69a3b8fd4d1865dde9799310e547b7

Twitter

My megathread on Twitter/X

Thread Reader Unroll: Tweets 1 - 114

Videos

Black Hat - Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Crypto Wallets

DEF CON 31 - Small Leaks, Billions Of Dollars - Nikolaos Makriyannis, Oren Yomtov

DeCompute'23 - Nikolaos Makriyannis - Practical KeyExtraction attacks in leading wallets

Omer Shlomovits - Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets (2 years ago)

Tal Be'ery & Matan Hamilis - Attacking and Defending Blockchains: From Horror Stories to Secure Wallets (5 years ago)