Repository for all OSINT and code relating to ZenGo Wallet Challenge #ZengoWalletChallenge. All information and code in this repository is CC0 licensed. Do with it what you wish, add a PR if you like, and if you break the wallet consider giving back some sats ;)
Dates: 9 to 28 January 2024
Status: Ongoing
Conditions ZenGo White Hat Conditions apply
Official HINTS
- Hint #1: The Email Address associated with this wallet is zengowalletchallenge@mailinator.com
- Hint #2: The email address associated with the Recovery File Cloud Backup is: zengowalletchallenge@kzencorp.com
[ADD SCREENSHOT]
- no DoS / DDoS
- no social engineering (phishing, vishing, smishing)
- no SSL/TLS config attacks on server
- yes RCE on server
- yes to SQL injection
Out of Scope:
- Previously known vulnerable libraries without a working proof of concept
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
Confirmed by Zengo team via Twitter on 14 Jan
Personal Commitment to how funds will be used
OSINT - Certik blog - Fortifying ZenGo: Unearthing and Defending Against Privileged User Attacks (4/4/2023)
BTC address: 3NB5gbyhCQM92WUpHxfpK7PqC1KKTAYwpK
ETH address: 0x3ceb6a3eeb69a3b8fd4d1865dde9799310e547b7
Thread Reader Unroll: Tweets 1 - 114
DEF CON 31 - Small Leaks, Billions Of Dollars - Nikolaos Makriyannis, Oren Yomtov
DeCompute'23 - Nikolaos Makriyannis - Practical KeyExtraction attacks in leading wallets
Want to contribute to the repo? make a PR or just fork the whole main branch
'main' has been renamed 'niclaz' - call it your own if you like. It is all CC0.
If you found this useful (especially if you crack that wallet because of it) please consider sending me some sats ;)
mainnet BTC (P2SH): 3GqdnZk6FbZth35jVFNzJ2zxabwijeSnCh
mainnet BTC (Native SegWit): bc1qpkqvqk2faaufqcqw0slukwu5hkcfmw3na07egh
Lightning BTC: 0x1dd47171ac43fb86@ln.tips