1. Home
  2. Vulnerability

Vulnerability

Bitcoin Ordinals could be stopped if blockchain bug is patched, claims dev

A Bitcoin Core developer claimed Bitcoin Ordinals exploit a vulnerability allowing inscribers to bypass data size limits, which could soon be fixed.

A bug fix on the Bitcoin network could put a stop to new Bitcoin Ordinals and BRC-20 tokens as they’re causing network congestion by “exploiting a vulnerability,” claims a Bitcoin Core developer.

In a Dec. 6 X (Twitter) post, developer Luke Dashjr said inscriptions — used by Ordinals and BRC-20 creators to embed data on satoshi’s — exploit a Bitcoin Core vulnerability to “spam the blockchain.”

He explained the Bitcoin Core code has allowed users to set limits on the size of extra data in transactions since 2013, but “by obfuscating their data as program code, inscriptions bypass this limit.”

The bug allowing inscriptions to bypass this limit was recently fixed in the latest update to Bitcoin Knots, a Bitcoin Core derivative with less tested or untested features backported from and sometimes maintained outside of the core code.

Another X user asked if Ordinals and BRC-20 tokens “would stop being a thing” if the vulnerability was fixed to which Dashjr replied, “Correct.” Existing inscriptions would still remain.

"Bitcoin Core is still vulnerable in the upcoming  v26 release," he said.

On Dec.

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Cybersecurity team claims up to $2.1B in crypto stored in old wallets are at risk

The security firm urges those using wallets generated from 2011 to 2015 to transfer their assets to crypto wallets that were generated more recently.

While the crypto community is still weathering the effects of the recent $100-million Poloniex hack, another cybersecurity threat that could affect billions worth of crypto assets has been discovered by a team of blockchain security experts. 

On Nov. 14, cybersecurity company Unciphered released information on a vulnerability that they called “Randstorm,” which they claim to affect millions of crypto wallets that were generated from 2011 to 2015.

According to the firm, while working to retrieve a Bitcoin (BTC) wallet for a customer, they discovered a potential issue for wallets generated by BitcoinJS and derivative projects. The issue could possibly affect millions of wallets and around $2.1 billion in crypto assets, according to the cybersecurity company. 

The firm also believes that multiple blockchains and projects could be affected. Apart from BTC, the company highlighted that Dogecoin (DOGE), Litecoin (LTC) and Zcash (ZEC) wallets could also potentially contain the vulnerability.

Related: Hackers claim to have stolen user data from defunct crypto ATM firm Coin Cloud

In addition, the company said that millions have already received an alert about the problem. For those who are using crypto wallets generated within the 2011 to 2015 time frame, the company recommends transferring their assets to wallets that were generated more recently. They wrote:

“If you are an individual who has generated a self-custody wallet using a web browser before 2016, you should consider moving your funds to a more recently created wallet generated by trusted software.”

While the company said that not all impacted wallets are affected equally, it also confirmed that the vulnerability is exploitable. However, the company did not provide any details about the exploitation of the vulnerability to avoid providing more information to bad actors in the space.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

WinRAR patches zero-day bug that targeted stock and crypto traders

According to cybersecurity firm Group-IB, weaponized ZIP file archives were being shared on crypto trading forums, with each one containing a nasty surprise.

The developers behind file compression software WinRAR have patched a zero-day vulnerability that allowed hackers to install malware onto unsuspecting victims' computers, enabling them to hack into their crypto and stock trading accounts.

On Aug. 23, Singapore-based cybersecurity firm Group-IB reported a zero-day vulnerability in the processing of the ZIP file format by WinRAR.

The zero-day vulnerability tracked as CVE-2023-38831, was exploited for approximately four months, allowing hackers to install malware when a victim clicked on files in an archive. The malware would then allow hackers to breach online crypto and stock trading accounts, according to the report.

Using the exploit, the threat actors were able to create malicious RAR and ZIP archives that displayed seemingly innocent files such as JPG images or PDF text documents. These weaponized ZIP archives were then distributed on trading forums targeting crypto traders offering strategies such as "best Personal Strategy to trade with Bitcoin."

Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.

The report confirmed that the malicious archives found their way onto at least eight public trading forums infecting at least 130 devices, however, the victim's financial losses were unknown.

WinRar exploit infection chain. Source: Group-IB

On execution, the script launches a self-extracting (SFX) archive that infects the target computer with various malware strains, such as the DarkMe, GuLoader, and Remcos RAT.

These provide the attacker with remote access privileges on the infected computer. DarkMe malware has previously been used in crypto and financially motivated attacks.

The researchers notified RARLABS which patched the zero-day vulnerability in WinRAR version 6.23, released on Aug. 2.

Related: Crypto investors under attack by new malware, reveals Cisco Talos

In August, smartphone giant BlackBerry identified several malware families that actively aimed to hijack computers to mine or steal cryptocurrencies.

The same month also revealed a newly discovered remote access tool called HVNC (Hidden Virtual Network Computer) that can enable hackers to compromise Apple operating systems was found on sale on the dark web.

Magazine: Should crypto projects ever negotiate with hackers? Probably

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Cypher Protocol reveals $600K of stolen funds is now frozen on CEXs

Solana-based Cypher Protocol has managed to stop around $600,000 of stolen funds from exiting various centralized exchanges.

Solana-based decentralized futures exchange Cypher Protocol has managed to freeze $600,000 worth of crypto stolen from an Aug. 7 security exploit.

In an X (Twitter) post on Aug. 18, Cypher Protocol reported that more than half of the funds stolen have been successfully frozen across centralized exchanges with the help of several independent blockchain investigators.

“The return of these funds will be predicated on the cooperation of these CEXs and seizure warrants being issued by law enforcement,” it said.

Cypher was exploited on Aug. 7 for around $1 million resulting in the protocol halting its smart contracts.

The DeFi exchange enables lending and borrowing through primary accounts with multiple cross-collateralized sub-accounts. However, the vulnerabilities prevented proper tracking of isolated sub-accounts and insufficient margin checks before borrowing, explained blockchain security firm Halborn.

The attacker exploited these code vulnerabilities using multiple accounts to drain an estimated $1 million in various crypto assets including USDT, USDT, SOL, wETH, and a handful of other altcoins.

On Aug. 10, the team managed to make contact with the hacker after it had offered a 10% white hat bounty worth around $120,000.

Two days later, the protocol said the hacker had missed the deadline to return the funds and opened the bounty up to the public. They also hinted at knowing the partial identity of the exploiter.

On Aug. 16, Cypher announced a redemption plan and “socialized losses policy” to distribute remaining assets to affected users. A redemption package with protocol assets will be distributed pro rata based on user share, it stated.

“The value used for redemption in relation to a margin account will be based on a snapshot of the account’s assets at the time Cypher protocol was frozen,” totaling around 31 cents on the dollar it added.

Screenshot from Cypher redemption package. Source: Cypherlabs

In its latest statement, Cypher thanked blockchain sleuth ZachXBT, adding “he was invaluable to the Cypher team and the main contributor in the initial freezing of funds across multiple CEXs, and also aided in tracking the attacker.”

Cointelegraph reached out to ZachXBT for comment but had not heard back at the time of writing.

Related: Crypto hacks and exploits snatch over $300M in Q2 2023

According to the De.Fi Rekt database, the Cypher exploit was not the largest so far in August, coming in third.

DeFi protocol Zunami suffered a $2.1 million flash loan attack on Aug. 13 and leveraged yield aggregation platform Steadefi was exploited for $1.1 million on Aug. 7.

Magazine: Should crypto projects ever negotiate with hackers? Probably

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered

Sushiswap Smart Contract Bug Results in Over M in Losses; Head Chef Says Hundreds of ETH RecoveredAccording to several reports, a bug introduced to the decentralized exchange (dex) protocol Sushiswap’s smart contract has resulted in more than $3 million in losses. The blockchain and smart contract security firm Peckshield explained the exploited contract was “deployed in multiple blockchains.” Dex Platform Sushiswap Suffers From Smart Contract Exploit Over the weekend, the dex […]

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Rogue Validator Exploits MEV Bots on Ethereum, Resulting in $25.3M in Crypto Losses

Rogue Validator Exploits MEV Bots on Ethereum, Resulting in .3M in Crypto LossesOn April 3, 2023, at Ethereum block height 16,964,664, a group of MEV (Maximal Extractable Value) bots were exploited for $25.3 million. An analysis of the exploit revealed that a renegade validator switched the MEV bots’ transactions and seized various crypto tokens, such as 7,460 wrapped ether and 64 wrapped bitcoin. While the Mechanisms Behind […]

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

Kokomo Finance's social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked out from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 Twitter post, noting that the Kokomo Finance (KOKO) token has plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

Kokomo Finance has either deactivated or deleted its Twitter account. Source: Twitter

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source: Optimistic Etherscan

A CertiK spokesperson told Cointelegraph that it was the largest "incident" that they’ve detected on Optimism.

Kokomo Finance is an open-source and non-custodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and DAI.

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source: CoinGecko

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, however, all of these links now lead to some form of an error page, suggesting the page has been removed.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

Cointelegraph came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found and the owner of the KOKO token was found to have a one-time ability to 45% of the maximum supply to an arbitrary address.

Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source: GitHub

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over $1.5M in Bitcoin Stolen

Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over .5M in Bitcoin StolenGeneral Bytes experienced a security incident on March 17 and 18 that enabled a hacker to remotely access the master service interface and send funds from hot wallets, according to the company and sources. The breach forced a majority of U.S.-based crypto automated teller machine (ATM) operators to temporarily shut down. The hacker was able […]

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

BitGo patches critical vulnerability first discovered by Fireblocks

BitGo has patched a vulnerability that threatened to expose the private keys of retail and institutional users.

Cryptocurrency wallet BitGo has patched a critical vulnerability that could have exposed the private keys of retail and institutional users.

Cryptography research team Fireblocks identified the flaw and notified the BitGo team in December 2022. The vulnerability was related to BitGo Threshold Signature Scheme (TSS) wallets and had the potential to expose the private keys of exchanges, banks, businesses and users of the platform.

The Fireblocks team named the vulnerability the BitGo Zero Proof Vulnerability, which would allow potential attackers to extract a private key in under a minute using a small amount of JavaScript code. BitGo suspended the vulnerable service on Dec. 10 and released a patch in February 2023 that required client-side updates to the latest version by March 17.

The Fireblocks team outlined how it identified the exploit using a free BitGo account on mainnet. A missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.

Related: Euler Finance hacked for over $195M in a flash loan attack

Industry standard enterprise-grade cryptocurrency asset platforms make use of either multi-party-computation (MPC/TSS) or multi-signature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties, to ensure security controls if one party is compromised.

Fireblocks was able to prove that internal or external attackers could gain access to a full private key through two possible means.

A compromised client-side user could initiate a transaction to acquire a portion of the private key held in BitGo’s system. BitGo would then perform the signing computation before sharing information that leaks the BitGo key shard.

“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”

The second scenario considered an attack if BitGo was compromised. An attacker would wait for a customer to initiate a transaction, before replying with a malicious value. This is then used to sign the transaction with the customer’s key shard. The attacker can use the response to reveal the user’s key shard, before combining that with BitGo’s key shard to take control of the wallet.

Fireblocks notes that no attacks have been carried out by the identified vector, but warned users to consider creating new wallets and moving funds from ECDSA TSS BitGo wallets prior to the patch

Hacks of wallets have been commonplace across the cryptocurrency industry in recent years. In August 2022, over $8 million was drained from over 7000 Solana-based Slope wallets. Algorand network wallet service MyAlgo was also targeted by a wallet hack that saw over $9 million drained from various high-profile wallets.

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs

Euler Finance’s offer to hacker: Keep $20M or face the law

The hacker committed a $196 million flash loan attack on the Ethereum-based lending protocol on March 13.

Ethereum-based noncustodial lending protocol Euler Finance is trying to cut a deal with the exploiter that stole millions from its protocol, demanding the hacker returns 90% of the funds they stole within 24 hours or face legal consequences.

Euler Labs sent its ultimatum to the flash loan attacker who exploited the platform for $196 million by transferring the hacker 0 Ether (ETH) with an attached message on March 14:

“Following up on our message from yesterday. If 90% of the funds are not returned within 24 hours, tomorrow we will launch a $1M reward for information that leads to your arrest and the return of all funds.”

The threat of law enforcement comes as Euler sent the hacker a much more civil message the day before.

“We understand you are responsible for this morning’s attack on the Euler platform,” it read. “We are writing to see whether you would be open to speaking with us about any potential next steps.”

The request for a 90% fund return would see the hacker send back $176.4 million while holding onto the remaining $19.6 million.

However, many observers have noted that the hacker has very little to no incentive to follow through with the deal.

“If I was the hacker I’d simply say ‘to anyone who manages to track me down, I will give you $2 million not to tell Euler,’” one observer said.

“Yeh he has 200 Million they have 2 Million. He wins in a bidding war,” another Twitter user wrote in response.

Euler Labs said it was already working with law enforcement in the United States and the United Kingdom, along with engaging blockchain intelligence platforms Chainalysis, TRM Labs and the broader Ethereum community, to help track down the hacker.

Related: DeFi protocol Platypus suffers $8.5M flash loan attack, suspect identified

The lending platform added it was able to promptly stop the flash loan attack by blocking deposits and the “vulnerable” donation function.

As for the exploited code, the team explained that the vulnerability “was not discovered” in the audit of its smart contract, which had existed on-chain for eight months until bei exploited on March 13.

‘BITSANITY’ — Records broken with $70B in volume for Bitcoin stocks, ETFs