Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The team behind the Henlo Kart product was working on publishing two public packages to NPM. They were worried about sensitive files, such as .env, containing deployment credentials, being leaked. This was done via the .gitignore file. For the initial deployment of two packages, this worked well.

Later, an update to one of the packages was made - they wanted to exclude additional files from NPM. So, they created an .npmignore file to do this. Surprisingly, the presence of this file invalidated the .gitignore! This meant that the sensitive .env file was leaked. This contained a private key for the deployer account.

After a few hours, they noticed the error. They attempted to revoke the package version, but this was not allowed because other packages they created depended on it. By the time they contacted NPM to remove the package, the damage was done - the key had been exposed. An attacker found it.

The attacker took about 60ETH that was sitting in AAave. Additionally, they took control of the core Henlo contract, giving them the ability to mint new tokens. The team was able to recover some of the funds but the damage had been done. So, they rebranded the product and launched a new token from the previous snapshots.

The attackers are real! This is a sad reminder of that. Good explanation of the attack and the failures though.