CVE-2024-34155 BIP32 Derivation #3747
Description
BIP32 Derivation found in the API.
PoC
ForTom.webm
Integrity discrepancy found in centralized "Rewards" Ledger vs. Decentralized SDK UTXO State. (CORS/Middleware/Environment Isolation/Balance Derivation).
Account reveals material discrepancy between "earned" LBC and "spendable" LBC. The API records a variable amount. The SDK v0.113.0 remains unaware of these assets even after the master seed injection address gap widens.
Vulnerable code as it stands: tox.ini confirms blockchain and transactions operate in isolated environments. The Ghost Ledger 'transacts' credited rewards without corresponding UTXO elements to broadcast the "Blockchain" ledger. server.go Explicitly sets Access-Control-Origin: "*" permitting cross-origin theft of session tokens which uses Ghost balances before hitting the decentralized chain.
UTXOs of earned rewards are withheld, subsequently.
Sub-account isolation results in loss of user access to "Earned" rewards. JSON-RPC reveals unauthenticated local ports which allows Remote code execution if port 5279 is exposed via a browser-based "CORS bypass."