Loading video...

Video Failed to Load

Go Home

🧵/1 So lets break this down Firstly let's make this clear - Everything was reported for FREE in my spare time. It was made clear to Phantom multiple times i don't want payment, I just want the issue fixed!!! I reported some even more serious Vulns about 6 months...

455,992 views • 1 year ago •via X (Twitter)

11 Comments

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/2 > Asked to reproduce the bug for them in a demo (Happily agreed, was late, so we picked up the next day) > Ron Sates "0 changes made to production" (We know this is a lie as ZK is turned off) > Spend an entire day looking into the changes, etc to get the demo ready for them (shock it doesn't work as no ZK feature is enabled any more) > While investigating why the ZK vulnerability wasn't working, I discovered Multiple other bugs around SPL tokens and also reported these to Ron etc with enough details to fix.

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/3 > Ron eventually told me that, yes, ZK is now off for "insert BS reason". - How can you demo something when the feature is off? > They manage to replicate ONE of the SPL vulnerability after being spoon-fed every single detail and state that it is "serious" and a priority fix is going out. > This vulnerability allows you to lock out any wallet/whale/top trader of the attackers' choosing with zero skill and minimal effort if they use @phantom wallet. > I then told this is only a 3.7, aka "LOW" impact bug despite when putting this into any CVE calculator, it comes up as 7.0 & above.

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/4 I deemed it no longer worth my time to deal with this team, given that they cannot even classify a vulnerability correctly. The remote wiper vulnerability, etc., can be tested now that you have fixed the SPL vulnerability, you just need to turn the ZK feature back on. Last night I found a couple more issues while poking around - The entire app seems like it's built with sticky tape & glue with zero focus on security.

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/5 - Now lets address all the inaccuracies in Ron's post (Great job on that one, @phantom marketing team - I like the SMB3 touch) The fact they will post blatant lies & exaggerations tells you everything about this team. "freeze a user’s Phantom app by sending it thousands of tokens." > Original DOS vuln occurred with only 268 Tokens (ZK or SPL) - ZK even more effective with a few other vectors too > You NOW can send even fewer tokens since I spent the time optimising the payload being sent (This is after their "remediation" fix, too......) "Certainly not affect user private keys or secret recovery phrases." > See video 1 - How do you get your seed phrase from a permanently crashed wallet? > You can't, as the localStorage is corrupted "Is now completely remediated" > No, it's not - All you have done is add pagination & remove T22 meta fields > There are still multiple attack vectors open (which I made you aware of) "Despite multiple outreaches from our team." > This one makes me laugh. I have the entire history of DMs since December, and not once did @phantom or any staff reach out. > I have been chasing various members 2x weekly to get this fixed. "we have also not been able to reproduce this despite our best efforts" > Just because you lack the ability to replicate an issue, does not mean the issue doesn't exist. > This is akin to sticking your head in the sand an pretending no one can see you. > You have video evidence of it occuring... Its really not a complex one to figure out.

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/6 I think this is what we call a "Skill Issue." While writing this, it is clear to me that @phantom is probably just trying to bait me out, but when we look at it objectively, it's a very sorry state of affairs. The #1 wallet is bug-ridden, and its organisation has insufficient resources and skills to remediate such threats. So, instead, they try to gaslight their customers on X to pretend there is no issue. And with this approach, will anyone come forward with more FREE vulnerability reports?

Cloakd ⌛'s profile picture
Cloakd ⌛1 year ago

🧵/7 - Fin I'm not going to engage further with @phantom as they are clearly more interested in social media posts rather than actually fixing issues so we will leave it here. To those saying "just exploit it bro" etc ; - No, I'm here to help the community not hurt users - We run on a public ledger, and there are eyes watching all the time. - They will simply be added to my growing pile of unfixed ecosystem vulnerability trophy cabinet Complacency killed the cat - In this case its a ghost though so i dunno 🤷‍♂️

Deals Finder's profile picture
Deals Finder1 year ago

My followers just copped this for only $1 (proof in comments)🚨 Follow for more price errors, they go fast! Just like this one...

João Mendonça's profile picture
João Mendonça1 year ago

@phantom limited context here, but judging from your attendance, persistence, and accuracy, I can't think of a reason why @phantom wouldn't open a dedicated channel of communication to address your current and possibly future reports more promptly huge red flag from where I'm sitting

somekid1995's profile picture
somekid19951 year ago

@phantom @phantom fix this shit

CarlDrogo's profile picture
CarlDrogo1 year ago

@phantom Chad as always

Drey.sol's profile picture
Drey.sol1 year ago

@phantom Chad

Related Videos