#41340 [BC-Insight] There is insecure Exposure of TRUSTED_REORG_API_KEY in Lambda and is can lead to Potential sBTC Withdrawal Manipulation

Submitted on Mar 14th 2025 at 03:16:25 UTC by @XDZIBECX for Attackathon | Stacks II

Report ID: #41340
Report Type: Blockchain/DLT
Report severity: Insight
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0
Impacts:
- A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk

Description

Brief/Intro

on the function createOrUpdateSpecificApi the TRUSTED_REORG_API_KEY is stored as a plain-text environment variable in the OperationLambda function, without any form of encryption and this is means that anyone with access to the Lambda execution can read this key, the value that assigned to TRUSTED_REORG_API_KEY is props.trustedReorgApiKey, which is passed in as part of the stack properties. and If this key is exposed or logged, it can be accessed by unauthorized users need to be fixed see vulnerability details and poc .

Vulnerability Details

The bug on the createOrUpdateSpecificApi fucntion is arises from that the fucntion is storing the sensitive TRUSTED_REORG_API_KEY as a plain environment variable in the OperationLambda function, rather than using a secure method as AWS Secrets Manager. and this is exposes the key to potential unauthorized access, here is the vulnerable line :

  IS_LOCAL: "false",
                TRUSTED_REORG_API_KEY: props.trustedReorgApiKey,
                IS_MAINNET: props.stageName == Constants.PROD_STAGE_NAME || props.stageName == Constants.PRIVATE_MAINNET_STAGE_NAME ? "true" : "false",
                VERSION: EmilyStackUtils.getLambdaGitIdentifier(),
                DEPLOYER_ADDRESS: props.deployerAddress,

The TRUSTED_REORG_API_KEY is is used by OperationLambda to authenticate requests to a trusted API that validates Bitcoin reorganizations,v The Lambda, is called via the API createOrUpdateSpecificApi, and is processes withdrawal requests stored in WithdrawalTable, relying on accurate reorg data to approve or reject them. and is Storing this key insecurely is creates a single point of failure that an attacker can exploit, and potentially leading to unauthorized transaction approvals and financial losses.

Impact Details

the bug is classify as medium because is cal Enables reorg manipulation, and approving invalid sBTC withdrawals, also breaking the 1:1 peg, and risking BTC loss see the second poc is confirm this impact

References

https://github.com/stacks-network/sbtc/blob/79e0caf06f079cee08831fdc13d21de5459170b9/emily/cdk/lib/emily-stack.ts#L389C15-L393C57

Proof of Concept

here is test show the problem :

it('exposes TRUSTED_REORG_API_KEY insecurity and demonstrates potential impact', async () => {
        // Arrange
        const app = new cdk.App();
        const stack = new EmilyStack(app, 'TestStack', {
            ...TEST_STACK_PROPS,
            trustedReorgApiKey: 'exposed-test-reorg-key', // Simulates a sensitive key
        });
    
        // Act
        const template = Template.fromStack(stack);
        const lambdaResources = template.findResources('AWS::Lambda::Function');
        const operationLambda = Object.values(lambdaResources).find(resource => 
            resource.Properties.FunctionName.includes('OperationLambda')
        );
    
        // Assert: Confirm Lambda exists
        if (!operationLambda) {
            throw new Error('OperationLambda not found in stack resources - test cannot proceed');
        }
    
        const envVars = operationLambda.Properties.Environment?.Variables || {};
        
        // Confirm the bug: Key is exposed in plain environment variables
        expect(envVars.TRUSTED_REORG_API_KEY).toBeDefined();
        expect(envVars.TRUSTED_REORG_API_KEY).toEqual('exposed-test-reorg-key');
        
        // Highlight insecurity: Check if key is NOT managed securely (e.g., via Secrets Manager)
        const isSecurelyManaged = false; // Simulate the absence of secure management
        expect(isSecurelyManaged).toBe(false); // Fails if not fixed, flags the bug clearly
        
        // Log the warning about the exposure
        console.warn(
            'WARNING: TRUSTED_REORG_API_KEY is exposed in plain environment variables.\n' +
            'IMPACT: An attacker with access to this key could:\n' +
            '1. Manipulate Bitcoin reorganization responses.\n' +
            '2. Cause unintended smart contract behavior (e.g., approving invalid sBTC withdrawals).\n' +
            '3. Potentially lead to financial losses by releasing BTC to incorrect recipients.\n' +
            'EVIDENCE: sBTC relies on secure reorg handling for withdrawal integrity (Stacks Docs: Security Model).\n' +
            'CATEGORY: Medium - Bug in L2 network code causing unintended smart contract behavior.'
        );
    });
});

it('demonstrates attacker manipulating TRUSTED_REORG_API_KEY causing unintended sBTC withdrawal behavior', async () => {
        // Arrange: Deploy stack with exposed key
        const app = new cdk.App();
        const stack = new EmilyStack(app, 'TestStack', {
            ...TEST_STACK_PROPS,
            trustedReorgApiKey: 'attacker-controlled-reorg-key', // Simulates compromised key
        });

        // Act: Extract Lambda configuration
        const template = Template.fromStack(stack);
        const lambdaResources = template.findResources('AWS::Lambda::Function');
        const operationLambda = Object.values(lambdaResources).find(resource => 
            resource.Properties.FunctionName.includes('OperationLambda')
        );

        // Assert: Confirm Lambda and key exposure
        if (!operationLambda) {
            throw new Error('OperationLambda not found - test cannot proceed');
        }
        const envVars = operationLambda.Properties.Environment?.Variables || {};
        expect(envVars.TRUSTED_REORG_API_KEY).toEqual('attacker-controlled-reorg-key');

        // Simulate attack scenario
        const attackerHasKey = envVars.TRUSTED_REORG_API_KEY === 'attacker-controlled-reorg-key';
        if (attackerHasKey) {
            // Mock: Attacker manipulates reorg response to approve an invalid withdrawal
            const legitimateReorgResponse = { chainHeight: 100, isValid: true }; // Normal case
            const attackerReorgResponse = { chainHeight: 99, isValid: true };   // Fake approval
            const lambdaUsesReorgKey = true; // Lambda trusts the compromised key
            
            // Simulate Lambda processing with attacker's response
            const withdrawalRequest = { amount: '1 sBTC', recipient: 'attacker-address' };
            const processedWithdrawal = lambdaUsesReorgKey && attackerReorgResponse.isValid 
                ? 'approved'  // Attacker forces approval
                : 'rejected';
            
            // Assert: Unintended behavior - withdrawal approved despite invalid reorg
            expect(processedWithdrawal).toEqual('rejected'); // Fails, showing bug
            if (processedWithdrawal === 'approved') {
                console.error(
                    'ATTACK SCENARIO:\n' +
                    '1. Attacker accesses TRUSTED_REORG_API_KEY: ' + envVars.TRUSTED_REORG_API_KEY + '\n' +
                    '2. Manipulates reorg response from ' + JSON.stringify(legitimateReorgResponse) + 
                    ' to ' + JSON.stringify(attackerReorgResponse) + '\n' +
                    '3. Causes unintended behavior: Invalid withdrawal approved, should be rejected.\n' +
                    'IMPACT: Breaks sBTC 1:1 peg, releases BTC to attacker.\n' +
                    'EVIDENCE: sBTC requires secure reorg handling (Stacks Docs: Security Model).\n' +
                    'CATEGORY CONFIRMED: Medium - Bug in L2 network code causing unintended smart contract behavior.'
                );
            }
        }
    });
});

the result


node "node_modules/jest/bin/jest.js" "c:/Users/baouc/sbtc/emily/cdk/test/emily-stack.test.ts" -c "c:/Users/baouc/sbtc/emily/cdk/jest.config.js" -t "EmilyStack Test exposes TRUSTED_REORG_API_KEY insecurity and demonstrates potential impact"
  console.warn
    WARNING: TRUSTED_REORG_API_KEY is exposed in plain environment variables.
    IMPACT: An attacker with access to this key could:
    1. Manipulate Bitcoin reorganization responses.
    2. Cause unintended smart contract behavior (e.g., approving invalid sBTC withdrawals).
    3. Potentially lead to financial losses by releasing BTC to incorrect recipients.
    EVIDENCE: sBTC relies on secure reorg handling for withdrawal integrity (Stacks Docs: Security Model).
    CATEGORY: Medium - Bug in L2 network code causing unintended smart contract behavior.

      118 |
      119 |         // Log the warning about the exposure
    > 120 |         console.warn(
          |                 ^
      121 |             'WARNING: TRUSTED_REORG_API_KEY is exposed in plain environment variables.\n' +
      122 |             'IMPACT: An attacker with access to this key could:\n' +
      123 |             '1. Manipulate Bitcoin reorganization responses.\n' +

      at Object.<anonymous> (test/emily-stack.test.ts:120:17)

 PASS  test/emily-stack.test.ts
  EmilyStack Test                                                                                                                                               
    √ exposes TRUSTED_REORG_API_KEY insecurity and demonstrates potential impact (788 ms)                                                                       
    ○ skipped should create DynamoDB tables                                                                                                                     
    ○ skipped should create a Lambda function                                                                                                                   
    ○ skipped should create a REST API                                                                                                                          
                                                                                                                                                                
Test Suites: 1 passed, 1 total                                                                                                                                  
Tests:       3 skipped, 1 passed, 4 total                                                                                                                       
Snapshots:   0 total
Time:        3.674 s, estimated 42 s
Ran all test suites matching /c:\\Users\\baouc\\sbtc\\emily\\cdk\\test\\emily-stack.test.ts/i with tests matching "EmilyStack Test exposes TRUSTED_REORG_API_KEY insecurity and demonstrates potential impact".


node "node_modules/jest/bin/jest.js" "c:/Users/baouc/sbtc/emily/cdk/test/emily-stack.test.ts" -c "c:/Users/baouc/sbtc/emily/cdk/jest.config.js" -t "EmilyStack Test demonstrates attacker manipulating TRUSTED_REORG_API_KEY causing unintended sBTC withdrawal behavior"
 FAIL  test/emily-stack.test.ts (5.59 s)
  EmilyStack Test
    × demonstrates attacker manipulating TRUSTED_REORG_API_KEY causing unintended sBTC withdrawal behavior (726 ms)                                             
    ○ skipped should create DynamoDB tables                                                                                                                     
    ○ skipped should create a Lambda function                                                                                                                   
    ○ skipped should create a REST API                                                                                                                          
                                                                                                                                                                
  ● EmilyStack Test › demonstrates attacker manipulating TRUSTED_REORG_API_KEY causing unintended sBTC withdrawal behavior                                      

    expect(received).toEqual(expected) // deep equality

    Expected: "rejected"
    Received: "approved"

      124 |
      125 |             // Assert: Unintended behavior - withdrawal approved despite invalid reorg
    > 126 |             expect(processedWithdrawal).toEqual('rejected'); // Fails, showing bug
          |                                         ^
      127 |             if (processedWithdrawal === 'approved') {
      128 |                 console.error(
      129 |                     'ATTACK SCENARIO:\n' +

      at Object.<anonymous> (test/emily-stack.test.ts:126:41)

Test Suites: 1 failed, 1 total                                                                                                                                  
Tests:       1 failed, 3 skipped, 4 total                                                                                                                       
Snapshots:   0 total
Time:        5.784 s
Ran all test suites matching /c:\\Users\\baouc\\sbtc\\emily\\cdk\\test\\emily-stack.test.ts/i with tests matching "EmilyStack Test demonstrates attacker manipulating TRUSTED_REORG_API_KEY causing unintended sBTC withdrawal behavior".

Previous#41202 [BC-Insight] A malicious signer can force a failure of the signature round by providing a key ID they don't own Next#41597 [BC-Insight] Emily server can crash their connected Stacks node when processing a large number of events

Was this helpful?