Enyk Limited

[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Report for Hummingbot Miner

Web Application Penetration Test
Version 1.1

4th February 2022

Enyk Limited

Prepared For:
CoinAlpha Inc

Prepared By:
Samuel Tang
William Lam
Chris Chan
Chu Ka-cheong
Enyk Limited

1
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Introduction
This report documents the findings of a penetration test assignment aimed at assessing the
security of the Hummingbot Miner Web Application. CoinAlpha Inc engaged Enyk Limited to
conduct a security review on the said application. The test was conducted in January 2022
over the course of 10 person-days with two security analysts, yielded 11 security-impacting
findings ranging from high to low severity, and 4 informational issues.

The test followed the black-box approach. Enyk had access to the production and staging
deployment, and several hosts related to the deployment. An extensive and clear
documentation on the architecture was given to us, allowing us to reach a maximum
possible coverage within the allocated time. Throughout the engagement, communications
were done via email. It must be noted that all the communications were efficient and prompt,
resulting in a productive assessment exercise.

During the engagement period, the Hummingbot team promptly provided fixes for issues
discovered. Enyk verified the fixes for HBOT-01-001 on the production environment. As of
28th January 2022, all high-risks findings were adequately mitigated.

Overall, the project attained a satisfactory level of security. The application was developed
using modern technology stacks and the servers are protected by a properly configured
WAF. Despite very thorough penetration tests, only one of the issues spotted was ranked as
“High” in terms of security and risk it posted. Otherwise, the various arenas in the scope held
up to Enyk’s scrutiny. Enyk recommends addressing the findings presented. Furthermore, it
is highly encouraged to conduct security assessments on Hummingbot’s applications and
infrastructure on a regular basis.

Proprietary Notice

This document is developed by Enyk Limited. Information contained in this document may contain (1) information
provided by the CoinAlpha, Inc. and (2) the pre-existing materials of Enyk Limited or materials of general
applicability (not specifically developed or originally designed for the CoinAlpha, Inc. under this project). All rights
to those materials are expressly reserved by the respective parties. This document is intended to be used solely
by the authorized recipients of this report. No third party is authorized to read, copy, reproduce or use any
information contained in this document unless with the prior written consent of the CoinAlpha, Inc.. Enyk Limited
shall not, in any event, be liable for any loss or damages caused to any third party by reason of the third party’s
use of or reliance on any information contained in this document unless Enyk Limited has consented to such
liability by notice in writing addressed to such third party.

2
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Table of Contents

Introduction 2

Table of Contents 3

Methodology 6
Scope 6
Assessment Goals 6
Automated Scanning 6

Findings 8
Summary of Findings 8
Identified Vulnerabilities 9
HBOT-01-001: Retrieve auth token for new accounts on registration API without
email access (High) 9
Vulnerability Description 9
Attack Scenario 9
Suggested Fix 9
Exploit Procedure 9
HBOT-01-002: Auth token lifetime too long (Medium) 10
Vulnerability Description 11
Suggested Fix 11
HBOT-01-003: Multiple domains missing access control to specific endpoints
(Medium) 11
Vulnerability Description 11
Suggested Fix 13
HBOT-01-004: Leaked Slack webhook URL (Medium) 13
Vulnerability Description 14
Attack Scenario 14
Suggested Fix 14
HBOT-01-005: Avatar URL is not validated from update account API (Medium) 14
Vulnerability Description 14
Attack Scenario 14
Suggested Fix 15
Exploit Procedure 15
HBOT-01-006: File extension validation is not enforced in `get_presigned` API
(Medium) 16
Vulnerability Description 17
Attack Scenario 17
Suggested Fix 17
Exploit Procedure 17

3
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

HBOT-01-007: File size is not enforced in AWS S3 (Medium) 19

Vulnerability Description 19
Attack Scenarios 19
Malicious or illegal file hosting (abusing HBOT-01-006, HBOT-01-007,
HBOT-01-008) 19
Large file size avatar image (abusing HBOT-01-007) 19
Suggested Fix 19
Exploit Procedure 19
HBOT-01-008: Obsoleted user avatars are not be removed from AWS S3 (Low) 21
Vulnerability Description 21
Attack Scenario 21
Suggested Fix 21
Exploit Procedure 22
HBOT-01-009: Subject and audience fields are not validated from the login API (Low)
24
Vulnerability Description 24
Suggested Fix 24
HBOT-01-010: Wallets with invalid memo can be created via create wallet API (Low)
24
Vulnerability Description 24
Suggested Fix 25
Exploit Procedure 25
HBOT-01-011: Multiple vulnerabilities for Grafana (Low) 26
Vulnerability Description 26
Suggested Fix 27
Miscellaneous Issues 27
HBOT-01-012: Payouts can be assigned to non-desired wallets via wallet APIs 27
Vulnerability Description 27
Suggested Fix 27
Exploit Procedure 27
HBOT-01-013: HTTP Strict Transport Security (HSTS) not following best practices 28
Vulnerability Description 28
Suggested Fix 29
HBOT-01-014: Content Security Policy (CSP) is not implemented 29
Vulnerability Description 30
Suggested Fix 31
HBOT-01-015: Subresource Integrity (SRI) not implemented 31
Vulnerability Description 31
Suggested Fix 32

Revision History 33

4
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Appendix A. Risk Modeling 34

Appendix B. Security Service Team Profile 35

Samuel Tang 35
William Lam 35
Chris Chan 35

Appendix C. Fix Log 36

Detailed Fix Log 36
HBOT-01-001: Retrieve auth token for new accounts on registration API without
email access 36

5
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Methodology

Scope
The Enyk team is given the staging and the production environments of Hummingbot:

● Staging Environment (https://staging.miner.hummingbot.io/)

○ Two testing accounts (their auth tokens) were made available to Enyk
Limited.
○ The password to access the environment was made available to Enyk
Limited.
● Production Environment (https://miner.hummingbot.io/)
○ Two testing accounts (their auth tokens) were made available to Enyk
Limited.
○ Architecture summary was made available to Enyk limited.

Assessment Goals
The team conducted a black-box testing on the said application using both manual testing
and automated testing methods.

The team focuses on the APIs and was interested to answer the below questions during
manual test:

1. Is the authentication (integrated with magic.link) implemented correctly?

2. Is the access control for the API configured correctly?
3. Is it possible to bring unexpected behaviors when connecting wallets, exchanges and
payouts?
4. Is the infrastructure configured correctly?

The issues found by the automated tools will also be documented in the report. They will be
marked as informational unless the issues post a threat to the system.

Automated Scanning
Two automated scanning tools were used in this penetration test:

1. Acunetix for scanning web and API vulnerabilities

2. Nessus for scanning open ports that are accessible from external network

The Enyk team tested on different environments depending on the type of bugs.

1. The team tested the application logic primarily on the staging environment. It is
assumed that the staging and the production environments have the same issues.

6
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

2. The team tested the infrastructure on the production environment, as it is expected

that there are discrepancies between the staging and the production environment.

Open port scanning was conducted during the penetration test. The scan result is as follows
in Table 1:

FQDN Resolved IP Open Ports

api.coinalpha.com 172.66.43.115 80, 443, 2052, 2053, 2082,

2083, 2086, 2087, 2095,
2096, 8080, 8443, 8880

miner.hummingbot.io 178.128.104.229 80, 443, 8301, 30249, 31574

staging.miner.hummingbot.io 178.128.124.245 80, 443, 8301, 30726, 32063

papi.hummingbot.io 52.84.158.39 80, 443

mesh.hummingbot.io 52.84.158.39 80, 443

dashboard-staging.hummingbot.io 52.84.158.39 80, 443

api.hummingbot.io 52.84.158.92 80, 443

dashboard-dev.hummingbot.io 52.84.158.92 80, 443

mesh-ropsten.hummingbot.io 52.84.158.99 80, 443

api-staging.hummingbot.io 52.84.158.99 80, 443

papi-staging.hummingbot.io 52.84.158.99 80, 443

api-development.hummingbot.io 52.84.158.99 80, 443

papi-development.hummingbot.io 52.84.158.99 80, 443

discord-int.coinalpha.com – Ping Failed – – Ping Failed –

Table 1. The open port scanning result for each domain.

7
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Findings

Summary of Findings
During the course of the penetration test, there were several security findings identified in
the instance of Hummingbot Miner. The severity of the vulnerabilities are listed in Table 2:

Severity Issue

High HBOT-01-001: Retrieve auth token for new accounts on registration API
without email access

Medium HBOT-01-002: Auth token lifetime too long

HBOT-01-003: Multiple domains missing access control to specific

endpoints

HBOT-01-004: Leaked Slack webhook URL

HBOT-01-005: Avatar URL is not validated from update account API

HBOT-01-006: File extension validation is not enforced in AWS S3

HBOT-01-007: File size is not enforced in AWS S3

Low HBOT-01-008: Obsoleted user avatars are not be removed from AWS
S3

HBOT-01-009: Subject and audience fields are not validated from the
login API

HBOT-01-010: Wallets with invalid memo can be created via create

wallet API

HBOT-01-011: Multiple vulnerabilities for Grafana

Info HBOT-01-012: Payouts can be assigned to non-desired wallets via

wallet APIs

HBOT-01-013: HTTP Strict Transport Security (HSTS) not following best

practices

HBOT-01-014: Content Security Policy (CSP) is not implemented

8
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

HBOT-01-015: Subresource Integrity (SRI) not implemented

Table 2. The titles of the vulnerabilities found with the risk scores.

Identified Vulnerabilities

HBOT-01-001: Retrieve auth token for new accounts on

registration API without email access (High)

Likelihood Impact Overall Risk

4 5 20

Vulnerability Description

The team has identified that the registration API (POST /bounty/user/register/magic)
creates a user given only email and subscribe_to_newsletter. An user will be created and
an auth token for the users will be returned. Attackers could then use the auth token to
access the newly created account, without having access to the email address.

Attack Scenario

Mallory knows that Alice is going to create an account using a specific email address.
Mallory calls the registration API using Alice’s email address, and takes the auth token from
the response. Mallory thus has access to Alice’s account until the token expires.

Suggested Fix

It is advised to include the DID token generated by magic.link as a parameter of the

registration API.

Exploit Procedure

The following steps simulate an adversary obtaining an auth token of a unregistered user
([email protected]):

1. Call POST /bounty/user/register/magic with email address being

[email protected]. If an account is created, auth_token will be returned along with
the user object (See Figure 3).
2. Open a page from https://staging.miner.hummingbot.io/, set the auth token from the
browser’s console (See Listing 4) and refresh the page. The adversary is now signed
in as [email protected] (See Figure 5).

9
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 3. Creating an account without calling magic.link’s API.

localStorage.setItem('auth_token',
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHBpcmF0aW9uIjoxNjQ1Mjc3NTg0LCJjbGllbnRf
aWQiOiJUTVlXS1E1Vk5KSFBESkhWVUwxS1pGVlhHTUlJRjQwMCJ9.CKf-JB_x47ZO09zpeyIIdoQcb2OKD
3hZI3MnAvHC1uk')
Listing 4. Javascript code snippet to set auth token via browser console.

Figure 5. An adversary is signed on as the desired email address.

HBOT-01-002: Auth token lifetime too long (Medium)

Likelihood Impact Overall Risk

2 3 6

10
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Vulnerability Description

The team has identified that auth tokens have an expiry of one month, which is too long. The
expiry limits the amount of time for a hijacker to impersonate the victim.

Suggested Fix

It is not suggested to use JWTs for sessions1. JWT can be used as a short-term token that
expires in a short period of time (for example, 4 hours). Instead, it is suggested to give the
users a revocable refresh token upon signing in, and short-term JWT access tokens can be
created by the refresh token whenever the current access token expires2.

It is also recommended to show the users the active sessions for self-auditing.

HBOT-01-003: Multiple domains missing access control to

specific endpoints (Medium)

Likelihood Impact Overall Risk

4 2 8

Vulnerability Description

The team has identified multiple domains and API endpoints that might be missing access
control, the information obtained from the page might be disclosed unintendedly.

FQDN Endpoints Description

api.hummingbot.io GET /metrics Prometheus monitoring (see Figure 7)

GET /debug/vars Golang expvar endpoint (see Figure 8)

api-development.hummingbo GET /bounty/* Missing cookie access password to

t.io prevent unauthorized access.
GET /metrics Prometheus monitoring (see Figure 7)
GET /debug/vars Golang expvar endpoint (see Figure 8)

1
Curity AB (2022) “JWT Security Best Practices” https://curity.io/resources/learn/jwt-best-practices/
2
OAuth (2012) “OAuth Refresh Tokens” https://oauth.net/2/refresh-tokens/

11
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

api-staging.hummingbot.io GET /bounty/* Missing cookie access password to

prevent unauthorized access.
GET /metrics Access control implemented
GET /debug/vars Access control implemented

dashboard-dev.hummingbot.i GET /metrics Prometheus monitoring (see Figure 7)

o GET /* Grafana dashboard (see Figure 9)

dashboard-staging.humming GET /metrics Prometheus monitoring (see Figure 7)

bot.io GET /* Grafana dashboard (see Figure 9)

Table 6. List of endpoints that lack access control.

Figure 7. Page view of /metrics.

12
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 8. Page view of /debug/vars.

Figure 9. Page view of the login page of Grafana.

Suggested Fix

It is suggested to disable or implement access control toward the listed endpoints to prevent
unauthorized access. HTTP 401 authentication can be implemented according to the web
server, or, the cookie access password page can also be implemented for the
non-production endpoints if appropriate.

HBOT-01-004: Leaked Slack webhook URL (Medium)

13
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Likelihood Impact Overall Risk

3 4 12

Vulnerability Description

The team has identified that a Slack webhook url is directly used from the “Feedback” button
on the left of the screen. An adversary can make use of the Slack webhook to send
messages to specific channels, leading to unexpected user behaviors.

Attack Scenario

Mallory can make use of the channel override feature of Slack webhooks to send phishing
messages, leading to installing malicious apps on Slack. Mallory is then able to exfiltrate
data from the developers’ workspace 3.

Suggested Fix

It is advised that the Slack webhook URL should be wrapped by an API to avoid direct use of
Slack webhooks. The parameters should also be validated to prevent phishing attempts as
per suggested in AT&T’s blog post.

HBOT-01-005: Avatar URL is not validated from update account

API (Medium)

Likelihood Impact Overall Risk

4 3 12

Vulnerability Description

The team has identified that the profile image URL could be customized and need not to be
in https://hummingbot-miner.s3.amazonaws.com/avatars/. This allows an adversary to obtain
the IP addresses of visitors by updating the avatar URL to the self-hosted server URL.

Attack Scenario

Mallory changes his profile image to a self-hosted image. When Alice visits a page that
contains Mallory’s avatar (for example, the leaderboard if Mallory is ranked), her browser will
fire a HTTP request to Mallory’s host and her IP will be known by Mallory.

3
Ashley Graves, AT&T Cybersecurity (2020) “Slack phishing attacks using webhooks”
https://cybersecurity.att.com/blogs/labs-research/slack-phishing-attacks-using-webhooks

14
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Suggested Fix

It is recommended to prepend the S3 bucket path to the user-provided URL. This prevents
loading images from other sources.

Also, it is suggested to unify the avatar file name instead of using the user provided file
name. For unified avatar file names, the word “avatar” can be used. For example:
“avatar.jpg”, “avatar.png”, “avatar.gif”.

In order to support multiple image hosts, it is suggested to create an allowlist of hosts and
assert the profile image URL comes from the aforementioned hosts.

Exploit Procedure

To simulate an adversary updating the avatar to track visitors, call

POST /bounty/user/update_account with update_params.profile_image to be
http://ATTACKER_HOST/ (See Figure 10).

When a victim visits the leaderboard and sees the adversary, a HTTP request will be made
to access the avatar from the victim (See Figure 11). From the adversary’s perspective, the
IP address of the victim is logged (See Figure 12).

Figure 10. Changing the profile image of the current user to an external host.

15
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 11. A victim requested the adversary’s hosted image.

Figure 12. The adversary obtained the victim’s IP.

HBOT-01-006: File extension validation is not enforced in

`get_presigned` API (Medium)

Likelihood Impact Overall Risk

4 3 12

16
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Vulnerability Description

The team has identified that arbitrary file extension can be used to generate the presigned
information for files uploaded to AWS S3. An adversary could abuse the storage to host files
with arbitrary type other than image type. Although the AWS S3 returns
“application/octet-stream” in the “Content-Type” HTTP header, which forces the browser to
disregard the actual file type, it is suggested to validate extensions to prevent any exceptions
that might be caused by future updates.

Attack Scenario

Please refer to HBOT-01-007.

Suggested Fix

It is suggested to limit the allowed file extensions.

Exploit Procedure

{{api}}: The API. (i.e.: https://api-staging.hummingbot.io)

{{cid}}: The client ID of the current signed-on user.

(i.e.: L0GJRRK3UYQ9E5ES9GUSBU39ZXXNTAOS)

{{fn}}: Any file name. (i.e.: test.html)

{{s3}}: The AWS S3 bucket domain. (i.e.: https://hummingbot-miner.s3.amazonaws.com)

{{s3_*}}: All the presigned information obtained from the response body in Step 1.

{{file}}: The desired file to be uploaded.

The following steps simulate an adversary uploading non-image files (.html) to AWS S3.

1. Send request to
GET {{api}}/bounty/user/get_presigned?client_id={{cid}}&file_name={{fn}}
(See Figure 13)
2. Upload the file to POST {{s3}} with any extension (See Figure 14)
3. Verify the uploaded files by accessing URL: {{s3}}/avatars/{{cid}}/{{fn}}. (i.e.:
https://hummingbot-miner.s3.amazonaws.com/avatars/L0GJRRK3UYQ9E5ES9GUS
BU39ZXXNTAOS/test.html)
4. [Optional] Provide different file extensions in {{fn}} and repeat Step 1 to 3.

17
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 13. Generate pre-signed information.

Figure 14. Upload the desired file with .html (non-image) extension.

18
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

HBOT-01-007: File size is not enforced in AWS S3 (Medium)

Likelihood Impact Overall Risk

4 3 12

Vulnerability Description

The team has identified that the file size limit for the user's avatar is only enforced in the
client-side. An adversary can upload arbitrary files without size limit to the AWS S3 storage
by a sequence of steps.

Attack Scenarios

Malicious or illegal file hosting (abusing HBOT-01-006, HBOT-01-007, HBOT-01-008)

Mallory can distribute malwares or upload illegal files on the AWS S3 by creating a new
account on the platform and abusing the avatar upload feature. Mallory could even abuse
this to turn the service into a Command & Control (C2) for malwares.

Large file size avatar image (abusing HBOT-01-007)

Mallory could upload a large file size image (e.g.: 5GB), and Mallory is ranked on the
leaderboard, which leads everyone who visits the leaderboard page to load his large file size
avatar. By doing so, the network load of the S3 server is increased as per visitor, and might
lead to a DoS situation due to the slow network of the S3 server.

Suggested Fix

It is advised to implement a proper single file size limit in AWS S3 for the user’s avatar. The
following line is an example to configure the policy to allow files that smaller than 1 MB4:

["content-length-range", 0, 1048576]

Exploit Procedure

{{api}}: The API. (i.e.: https://api-staging.hummingbot.io)

{{cid}}: The client ID of the current signed-on user.

(i.e.: L0GJRRK3UYQ9E5ES9GUSBU39ZXXNTAOS)

{{fn}}: Any file name. (i.e.: test.html)

4
Amazon (2022) “Creating a POST Policy, Amazon Simple Storage Service”
https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html

19
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

{{s3}}: The AWS S3 bucket domain. (i.e.: https://hummingbot-miner.s3.amazonaws.com)

{{s3_*}}: All the presigned information obtained from the response body in Step 1.

{{file}}: The desired file to be uploaded.

The following steps simulate an adversary uploading a large size file (100MB) to AWS S3.

1. Send request to
GET {{api}}/bounty/user/get_presigned?client_id={{cid}}&file_name={{fn}}
(See Figure 15)
2. Upload the large size file to POST {{s3}} (See Figure 16)
3. Verify the uploaded file by accessing URL: {{s3}}/avatars/{{cid}}/{{fn}}. (i.e.:
https://hummingbot-miner.s3.amazonaws.com/avatars/L0GJRRK3UYQ9E5ES9GUS
BU39ZXXNTAOS/test.html)

Figure 15. Generate pre-signed information.

20
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 16. Upload the large size file.

HBOT-01-008: Obsoleted user avatars are not be removed from

AWS S3 (Low)

Likelihood Impact Overall Risk

2 2 4

Vulnerability Description

The team has identified that the unused avatar files are not removed from S3. Yet, users are
able to control the upload file name in the GET /bounty/user/get_presigned API. Therefore,
an adversary is able to upload multiple files other than one file for the avatar, and turn the
avatar service into an undesired file hosting service.

Attack Scenario

Please refer to HBOT-01-007.

Suggested Fix

It is recommended to remove / replace the existing avatar file(s) in the user’s avatar folder.

21
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Exploit Procedure

{{api}}: The API. (i.e.: https://api-staging.hummingbot.io)

{{cid}}: The client ID of the current signed-on user.

(i.e.: L0GJRRK3UYQ9E5ES9GUSBU39ZXXNTAOS)

{{fn}}: Any file name. (i.e.: test.html, test2.html)

{{s3}}: The AWS S3 bucket domain. (i.e.: https://hummingbot-miner.s3.amazonaws.com)

{{s3_*}}: All the presigned information obtained from the response body in Step 1.

{{file}}: The desired file to be uploaded.

The following steps simulate an adversary uploading multiple avatars to the AWS S3, and
proving the previous avatar (test.html) did not remove after the new avatar (test2.html)
has been uploaded.

1. Send request to
GET {{api}}/bounty/user/get_presigned?client_id={{cid}}&file_name={{fn}}
(See Figure 17)
2. Upload the avatar file to POST {{s3}} (See Figure 18)
3. Verify the uploaded files by accessing URL: {{s3}}/avatars/{{cid}}/{{fn}} with the
{{fn}} used for the first and second upload. For example:
1st upload (test.html):
https://hummingbot-miner.s3.amazonaws.com/avatars/L0GJRRK3UYQ9E5ES9GUS
BU39ZXXNTAOS/test.html
2nd upload (test2.html):
https://hummingbot-miner.s3.amazonaws.com/avatars/L0GJRRK3UYQ9E5ES9GUS
BU39ZXXNTAOS/test2.html

22
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 17. Generate pre-signed information.

Figure 18. Upload the desired file.

23
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

HBOT-01-009: Subject and audience fields are not validated

from the login API (Low)

Likelihood Impact Overall Risk

1 4 4

Vulnerability Description

The subject and the audience fields are respectively the entity IDs for the user and the
application generated by magic.link5. The team has identified that the server did not validate
the subject field (sub) and the audience field (aud) for generated decentralized ID tokens
from magic.link. Since the fields are not validated, DIDs generated by an user that has the
same issuer (iss) could be authenticated by Hummingbot Miner.

Despite the severity, the team still suggested a low severity nonetheless because the keys
generated by magic.link should be different per application end-user6. This lowers the
likelihood that the vulnerability could be utilized.

Suggested Fix

It is advised to store the entity ID for users and validate the subject field (sub) during
authentication. The audience field (aud) should also be checked against the application’s
entity ID.

HBOT-01-010: Wallets with invalid memo can be created via

create wallet API (Low)

Likelihood Impact Overall Risk

1 3 3

Vulnerability Description

The team has identified that a wallet with invalid memo can be created via POST
/bounty/wallets. This not only allows users to create wallets with memos exceeding the
100-character limit, it also can make users inaccessible to /settings/wallets (it would show a
blank screen). It may potentially lead to DoS for payouts performed weekly in the
background.

5
Magic (2022) “Getting Started with Decentralized ID (DID) Tokens”
https://magic.link/docs/introduction/decentralized-id
6
Magic (2022) “Zero-Knowledge Proofs, Security” https://magic.link/docs/introduction/security

24
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Suggested Fix

It is advised to validate the types of the parameters. In this case, the memo parameter in
POST /bounty/wallets.

Exploit Procedure

The team created an ETH wallet that exceeds the 100-character limit (See Listing 19). On
the other hand, the team created another ETH wallet (see Listing 20) that would make
/settings/wallets blank caused by unhandled exceptions in Javascript.

curl 'https://api-staging.hummingbot.io/bounty/wallets' \
-X POST \
-H 'Authorization: Bearer <REDACTED>' \
--data-raw '{
"chain": "ethereum",
"address": "0x8D101778B74849a53d4dd31b03C1BCBD664eAF52",
"label": "pentest",
"memo":
["pentest0123456789012345678901234567890123456789012345678901234567890123456789012
3456789012345678901234567890123456789012345678901234567890123456789012345678901234
56789012345678901234567890123456789"],
"assets": ["AVAX"]
}'
Listing 19. Command for creating a wallet that has a memo exceeding 100 characters.

curl 'https://api-staging.hummingbot.io/bounty/wallets' \
-X POST \
-H 'Authorization: Bearer <REDACTED>' \
--data-raw '{
"chain": "ethereum",
"address": "0x8D101778B74849a53d4dd31b03C1BCBD664eAF52",
"label": "pentest",
"memo": {"foo": "bar"},
"assets": ["AVAX"]
}'
Listing 20. Command for creating a wallet that makes the user unable to access
/settings/wallets.

25
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Figure 21. /settings/wallets are no longer accessible until the wallet is deleted.

HBOT-01-011: Multiple vulnerabilities for Grafana (Low)

Likelihood Impact Overall Risk

1 4 4

Vulnerability Description

The team has identified there are multiple instances of Grafana v8.2.2 on hummingbot.io,
which is vulnerable to multiple security issues including but not limited to CVE-2021-43798,
CVE-2021-43813, CVE-2021-43815. Affected domains are listed in Table 22:

Domain

dashboard-dev.hummingbot.io

dashboard-staging.hummingbot.io

26
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Table 22. List of domains for accessing the Grafana platform

Suggested Fix

It is suggested to update the Grafana to the latest version available.

Miscellaneous Issues

HBOT-01-012: Payouts can be assigned to non-desired wallets

via wallet APIs

Likelihood Impact Overall Risk

1 2 2

Vulnerability Description

The team has identified that a wallet assigned for payouts need not to be compatible. For
example, one can assign an ETH wallet to receive payouts from AVAX via the API. This
might need unknown behavior regarding payout.

Suggested Fix

It is suggested that the assets in POST /bounty/wallets should be validated so that the
wallet is compatible. This also apply for walletId in PUT /bounty/assets/*/wallets.

Exploit Procedure

The command in Listing 23 creates an Ethereum wallet that claims to be receiving payouts
from AVAX (which is not compatible) via POST /bounty/wallets.

curl 'https://api-staging.hummingbot.io/bounty/wallets' \
-X POST \
-H 'Authorization: Bearer <REDACTED>' \
--data-raw '{
"chain": "ethereum",
"address": "0x8D101778B74849a53d4dd31b03C1BCBD664eAF52",
"label": "pentest",
"memo": "pentest",
"assets": ["AVAX"]
}'
Listing 23. Command for creating an Ethereum wallet that receives payouts from AVAX, an
incompatible chain.

27
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

The command in Listing 24 links an Ethereum wallet (id being 2253) to receive payouts from
PHB (which is also not compatible) via PUT /bounty/assets/*/wallets.

curl 'https://api-staging.hummingbot.io/bounty/assets/PHB/wallets' \
-X PUT \
-H 'Authorization: Bearer <REDACTED>' \
--data-raw '{
"walletId": "2253"
}'
Listing 24. Command for linking an Ethereum wallet to receives payouts from PHB, another
incompatible chain.

HBOT-01-013: HTTP Strict Transport Security (HSTS) not following

best practices

Likelihood Impact Overall Risk

1 2 2

Vulnerability Description

The team has identified multiple endpoints that do not follow the best practices of HSTS.

FQDN Endpoint Description

miner.hummingbot.io / No HSTS
/login
/signup
/dashboard

miner.hummingbot.io / No includeSubDomains
/login directive
/signup
/market/
/market/*
/markets
/settings
/dashboard
/dashboard/
/dashboard/rewards
/dashboard/payouts
/dashboard/performance
/dashboard/order-tracking
/leaderboard

28
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

staging.miner.hummi / No HSTS
ngbot.io /login
/signup
/dashboard

staging.miner.hummi / No includeSubDomains
ngbot.io /login directive
/signup
/market/
/market/*
/markets
/settings
/dashboard
/dashboard/
/dashboard/rewards
/dashboard/payouts
/dashboard/performance
/dashboard/order-tracking
/leaderboard

dashboard-dev.humm /login max-age is less than 1

ingbot.io /user/password/reset year (31536000);
/signup
/verify
/user/password/send-reset-email

dashboard-staging.hu /login max-age is less than 1

mmingbot.io /user/password/reset year (31536000);
/signup
/verify
/user/password/send-reset-email

Table 25. List of endpoints that are not following best practices of HSTS.

Suggested Fix

It is suggested to follow the best practices while configuring HSTS. For the best practices,
please refer to HTTP Strict Transport Security - OWASP Cheat Sheet Series

HBOT-01-014: Content Security Policy (CSP) is not implemented

Likelihood Impact Overall Risk

1 2 2

29
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Vulnerability Description

The team has identified multiple endpoints that have no CSP implemented.

FQDN Endpoint

miner.hummingbot.io /
/login
/signup
/market/
/market/*
/markets
/settings
/dashboard
/dashboard/
/dashboard/rewards
/dashboard/payouts
/dashboard/performance
/dashboard/order-tracking
/leaderboard

staging.miner.hummingbot.io /
/login
/signup
/market/
/market/*
/markets
/settings
/dashboard
/dashboard/
/dashboard/rewards
/dashboard/payouts
/dashboard/performance
/dashboard/order-tracking
/leaderboard

dashboard-dev.hummingbot.io /login
/user/password/reset
/signup
/verify
/user/password/send-reset-email

30
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

dashboard-staging.hummingbot.io /login
/user/password/reset
/signup
/verify
/user/password/send-reset-email
Table 26. List of endpoints that are missing implementation of CSP.

Suggested Fix

It is suggested to implement proper CSP for the listed domains and endpoints. For the
detailed implementation of CSP best practices, please refer to Content Security Policy -
OWASP Cheat Sheet Series.

HBOT-01-015: Subresource Integrity (SRI) not implemented

Likelihood Impact Overall Risk

1 1 1

Vulnerability Description

The team has identified that Subresource Integrity (SRI) is not implemented for the listed
files.

Page URL of the resource

https://miner.hummingbot.io/ https://d33wubrfki0l68.cloudfront.net/js/ee13ee361
7a94b2cdbb69e6d20fa210336c230ff/main.js

https://static.zdassets.com/ekr/snippet.js?key=11e
56050-8c20-41cb-8b06-81b988b9e762

https://staging.miner.hummingbot.io/ https://d33wubrfki0l68.cloudfront.net/js/b999a51fb2
15a65a5aa05fa5a9c01b29d4516bb3/main.js

https://static.zdassets.com/ekr/snippet.js?key=11e
56050-8c20-41cb-8b06-81b988b9e762

Table 27. List of pages with resources that do not implement SRI.

31
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Suggested Fix

It is suggested to implement SRI for the listed files to prevent potential file temptation
attacks. Online tools such as SRI Hash Generator can be used to assist the generation of
SRI protected HTML tags.

32
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Revision History
Revision Date Changes

1.0 21st January 2022 Initial report

1.1 4th February 2022 Fix log, and final report

33
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Appendix A. Risk Modeling

During the analysis of identified risk items, a consistent risk modeling approach based on
qualitative analysis is used to portray the risk items based on factors such as confidentiality,
integrity, and availability against likelihood and impact severity.

Impact

Trivial Minor Moderate Major Extreme

1 2 3 4 5

Likelihood Rare 1 1 2 3 4 5

Unlikely 2 2 4 6 8 10

Moderate 3 3 6 9 12 15

Likely 4 4 8 12 16 20

Very likely 5 5 10 15 20 25

The score of a risk item is calculated by multiplying its likelihood score and impact severity
score. A higher score reflects a higher risk.

Each of the risk items is then classified as critical, high, medium, low or informational based
on the following classification scheme:

Informational Low Medium High Critical

1 ≤ score < 3 3 ≤ score < 5 5 ≤ score < 15 15 ≤ score < 25 score = 25

The critical risk items require immediate attention and prudent rectification actions. High risk
items require to be rectified as higher priority. The rectification actions for medium risk items
can be prioritized after the high risk items depending on the resources availability. Attention
for low risk items can be put at last. A longer duration can be allocated to rectify the low risk
items.

34
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Appendix B. Security Service Team Profile

Samuel Tang
Graduated from the Chinese University of Hong Kong with a dual degree in Mathematics
and Information Engineering, Samuel Tang is a security researcher focusing on cryptography
and web applications. He is a competitive player in Capture the Flag competitions, currently
a core member in the Hong Kong-based Black Bauhinia CTF team which ranked world 22nd
in 2021, and a member of the Shellphish team that competed in the DEFCON CTF 27 Final.
He holds OSWE, OSWP, and OSCP.

William Lam

Chris Chan
Chris Chan is a security analyst focusing on web application security and malware analysis.
He holds OSWP, OSCP, OSCE, OSEE, OSWE and OSEP. He was a speaker at the security
congress APAC 2017 and DragonCon 2017 and he has reported vulnerabilities to
companies including ASUS, Yahoo, eBay and Apple.

35
Enyk Limited
[email protected]
Unit 617, 6/F, Building 19W
Hong Kong Science and Technology Park
Hong Kong

Appendix C. Fix Log

Detailed Fix Log

This section includes a brief description of fixes implemented by Hummingbot after the
security assessment conducted by Enyk.

HBOT-01-001: Retrieve auth token for new accounts on

registration API without email access
A fix is deployed to production on 27th January 2022 that enforces verification of DID token
during the registration API. Verified by Enyk on 28th January 2022.

36