Sui fobbed off my disclosure that nearly 40% of their validators are exposed
- Nearly 40% of validators are running with serious misconfigurations: open SSH, CVEs, default services, no firewalls. - The majority expose the exact Ubuntu version. They didn’t give a sausage. - I flagged multiple validators with default Apache landing pages on 80, all with a CVE. They said, "that’s by design!" - They cannot tell the difference between RPC & HTTP. - Port 2375 (usually Docker) was open - they actually just denied this.
For context: I was CTO of a crypto exchange for 4 years, and have spent 20 years in security. It's not my first rodeo as they say.
When I disclosed responsibly, their response was bizarre:
'A CVE is only exploitable if you know how to exploit it.'
They brushed it off as a "bug bounty". I was not looking for a quick buck, I was looking to help them.
After I spoke to a journalist, their comms team even told my contact not to discuss it further.
I eventually wrote up a simulated attack doc:
Full report (technical): https://github.com/pgdn-network/sui-network-report-250819 Blog (overview): https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed
To me, this shows a systemic lack of security hygiene in a network securing billions of $$$. Given the right tools, an organised group could easily take Sui offline. (I am personally selling all my Sui because of this.)
So my question: is this lack of secops understanding, lack of genuine concern, or something else? I have really struggled to get this out there with my limited public "followers". Would appreciate any input!
Even if they were to path the provided list, it sounds like the problem runs deeper. In that case there's not much you can do unless you're at a higher up position within the actual org.
There's probably nothing you can realistically do (except spread the word, of course). Most pen testing just isn't that sexy. The likely result that will draw in public interest is that eventually they will have a major public security issue. It's that simple, and sometimes it's just a matter of time.
There is a chance that the biggest problems are localized at the interface between the company and public, and in that case getting the higher ups to be aware of the severity of the deficiency (both culturally and technically) could change things, but it's likely you're going to find the same thing when you climb the ladder...
What’s ironic is that Aptos (their supposed arch nemesis) came back clean as a whistle on our first pass. Yet it’s Sui always "out there winning" because of their massive marketing spend.
That said, I started publishing the node scores to the blockchain and someone did ask me if they should move their staked funds from one that was sub-standard.... Yes, you should.