About the frankenaddress spoofing attacks that are possible on Cardano, how big of a deal is it?

As we know, few days/weeks ago frankenaddreses - something unique to Cardano due to it’s unique double key way of combining addresses to a spending half and staking half, giving a possiblility to have an adress with different private keys for spending and staking, and possibility to forge an address that has your staking key and someobody else’s spending key and vice versa.
That means that if some dApp verifies wallets by staking keys, somebody could make a frankenadress that would stake on behalf of someone else but the attacker could spend it. That means that if somebody’s stakekey can claim some tokens, somebody else could steal those claim easily with a forged frankenadrress. That’s what happened to XrayStake platform - somebody stole a whole lot of other people’s Xray staking rewards this way. And that means this exploit could as well be abused to steal other token claimed y staking keys, like DripDropz as so on.
This seems kinda serious, can we even design token claims in a way that could not be exploited by franken addresses? Dapp devs surely need to start taking this possibility into account and desing token claiming accordingly. Hopefully this exploit won’t damage Cardano’s reputation as being hack-resistant too badly, as this was out first smart contract exploit and it wasn’t even that much sophisticated to pull off.
Frankenattack postmortem: Franken Attack. Report on how RayStake was attacked and… | by Ray Network | Oct, 2022 | Medium

nvm. check my next post

That thread seems to be about MEV on Cardano, not about frankenaddress exploits like the one that happened recently on Xray staking platform. So even though it’s still on Cardano exploitation topic, it’s not at att on mt thread’s particular topic, I don’t see anyone talking about franken address exploits in that twitter thread.
You can read the frankenattack postportem here: Franken Attack. Report on how RayStake was attacked and… | by Ray Network | Oct, 2022 | Medium
The only discussions on this attack I could find was few comments on RayNetwork twitter https://twitter.com/raynetwork?lang=cs - and that’s only a couple of comments, not really enough discussion that should be warranted on this topic, that’s why I started this thread. Seems like too much bigger deal for nobody to talk about. I wouldn’t even know that it happened if Army Of Spies didn’t speak for one minute about it on their recent video, and for some reason unfairly brushed it off as a little bit of nothingburger just because there was “only” 400K ADA stolen. I don’t know about you but 400K ADA stolen still sounds like a big deal to me. I’m pretty sure this exploit literally caused Xray to drop over 30% and Ada itself to drop 10% from 0.4 to 0.36 as the attacker probably sold all that ADA or some people panic sold the bad news.

Ah sorry my bad ^^ i misread that :stuck_out_tongue:

To your question, i found an explanation from @HeptaSean about this topic :

To identify where the stake should be delegated to and where the rewards should go, most Cardano addresses contain a stake key hash in addition to a payment key hash.
Your stake is everything on addresses with your stake key hash taken together.
That’s how Cardanoscan knows which addresses belong together. And that’s why most Cardano addresses are so long.
But the network does not know anything about wallets, seed phrases, derivation paths, … You can combine any payment key hash with any stake key hash.
Usually wallet apps take payment keys derived from your seed phrase and the stake key derived from it.
But there is no way to enforce that. In fact, a lot of SPOs do not even use seed phrases or hardware wallets, but generate random key pairs as files directly.
To spend the funds on an address, only a signature of the payment key is needed, but not one of the stake key. Stake key signatures are only needed for delegations and withdrawals of rewards.
So, if a service does what Ray did and sends rewards for a stake key back to an address with that stake key hash, it can be fooled by combining a payment key you control with the stake key hash of someone else.

I hope that helps and explains the matter.

The exploit can only work for native token claims, not for ADA staking reward claims.
Basically this exploit means that if some smart contract relies on someone spending from an address with some staking key to prove they own the staking key - it’s not really a valid proof, as anyone can forge a frankenaddress with somebody else’s staking key that the attack could actually spend from. And such address can then be used to fool vending machines to send native token staking rewards to someone who doesn’t actually control that particular stake key.
If this exploit was known about before, it could have been also used to steal everyones ISPO SUNDAY rewards from DripDropz, or to steal any of the current other people’s stake-weighted DripDropz claims. For example if DripDropz allow any stakekey to claim some token X, and gives Y of that token for every ADA staked from that key, somebody could fool that machine and steal that token claim on behalf of someone who has millions opf ADA staked, even though the attacker only hold a little bit of ADA.
Hopefully DripDropz and other similar vending machines are already redesiging the claiming mechanics so they can’t be exploited this way, not sure how such a redesign could work though, hopefully they can think of some exploit-proof alrernative.
Or maybe it could be exploited for some similar smart contract exploit the other way around (spoofing the spending key instead) that nobody has yet thought about.
edit: as HeptaSean explained in the reply below - DripDropz already is protected from this attack by design, so it looks like only Xray platform was vulnearable to this attack by bad design. And hopefully Xray devs will be more careful in the future designing their functionalities.

Wouldn’t even call it an attack. Everybody doing development on Cardano should have known that this is possible after they have learned how Cardano addresses work.

It should not be detrimental to Cardano’s reputation, just to Ray’s reputation, because they relied on something that was never intended to be relied on by the protocol. Period.

It is not possible with DripDropz and it was never as far as I know. They do not send back to the address paying the fee, but to the address that last did a delegation of the stake key, which requires a signature of that stake key and, hence, guarantees the ownership.

Oh, thanks. Yes this sound like a very good way to prevent this exploit, so I guess the RayStake platfrom is also redesigning their claims to work this way, and every other vending machine should too. At least we know of some working solution to this problem, that is good to to know. Hopefully everyoner in the future who designs a claiming mechanic will be aware of this possible exploit and never sends the claims back to the address that sent the transaction asking to claim.

Weell I think there should at least be a lot more public awareness about franken-addresses. People should know they are a thing and what that means and what it can be used or possibly abused for. I think it was because of this low awareness about them that the Xray platform coudl operate for months before someone got the idea to attack it that way. If there is more public awareness about these frankenadresses such exploits would not be happening. It would be good for the ecosystem if a lot of people knew this is possible.
So far, any discussions about frankenaddresses are deeply hidden in some places with very few visitors, and for example Eternl only allows to create those when you go deep into its advanced features.
I think it would be a good thing if Charles himself made a video thorougly explaining what they are and what they can do.