Shortly after publishing my article on Skycoin hardware wallet issues, I discovered that the Skycoin developers had missed two important patches for old upstream firmware vulnerabilities in the Trezor that were still present in their code, so I reported that problem as well.
Particularly the buffer overflow vulnerability could have a serious security impact depending on firmware compilation settings, but there are indications that this is not the case for the Skycoin firmware.
Receive Buffer Overflow Vulnerability
For Skycoin, the vulnerable function is located here.
Stack Overflow in BIP39 Recovery Procedure
In this case, the problematic code is located here.
Reporting the issues has been fairly quick and straightforward. Since encrypted communication with the vendor was already established and upstream patches for the problems were available, the disclosure process was finished in less than a month and with little overhead.
|Skycoin hardware-wallet||Github||patches, firmware revision unclear||?|
|2020-08-14||Disclosure to Skycoin|
|2020-08-30||Skycoin acknowledges disclosure email|
|2020-09-03||Public Github pull request with patches|
|2020-09-07||Github main branch patched|
A Note About the Research
I want to emphasize that this research was done on my own time and initiative. In particular, it was not incentivized by SatoshiLabs, for whom I do some paid security research on the upstream project.
Skycoin provided a bug bounty for these issues.