Bitcoin Ordinals could be stopped if blockchain bug is patched, claims dev

December 6, 2023 Coin Telegraph

A Bitcoin Core developer claimed Bitcoin Ordinals exploit a vulnerability allowing inscribers to bypass data size limits, which could soon be fixed.

A bug fix on the Bitcoin network could put a stop to new Bitcoin Ordinals and BRC-20 tokens as they’re causing network congestion by “exploiting a vulnerability,” claims a Bitcoin Core developer.

In a Dec. 6 X (Twitter) post, developer Luke Dashjr said inscriptions — used by Ordinals and BRC-20 creators to embed data on satoshi’s — exploit a Bitcoin Core vulnerability to “spam the blockchain.”

He explained the Bitcoin Core code has allowed users to set limits on the size of extra data in transactions since 2013, but “by obfuscating their data as program code, inscriptions bypass this limit.”

PSA: “Inscriptions” are exploiting a vulnerability in #Bitcoin Core to spam the blockchain.
— Luke Dashjr (@LukeDashjr) December 6, 2023

The bug allowing inscriptions to bypass this limit was recently fixed in the latest update to Bitcoin Knots, a Bitcoin Core derivative with less tested or untested features backported from and sometimes maintained outside of the core code.

Another X user asked if Ordinals and BRC-20 tokens “would stop being a thing” if the vulnerability was fixed to which Dashjr replied, “Correct.” Existing inscriptions would still remain.

"Bitcoin Core is still vulnerable in the upcoming v26 release," he said.

On Dec.

We are happy to announce testing of Bitcoin Knots v25.1 has completed successfully, and is now deployed to production.
Read more

Cybersecurity team claims up to $2.1B in crypto stored in old wallets are at risk

November 15, 2023 Coin Telegraph

Cybersecurity team claims up to .1B in crypto stored in old wallets are at risk

Coin Telegraph

The security firm urges those using wallets generated from 2011 to 2015 to transfer their assets to crypto wallets that were generated more recently.

While the crypto community is still weathering the effects of the recent $100-million Poloniex hack, another cybersecurity threat that could affect billions worth of crypto assets has been discovered by a team of blockchain security experts.

On Nov. 14, cybersecurity company Unciphered released information on a vulnerability that they called “Randstorm,” which they claim to affect millions of crypto wallets that were generated from 2011 to 2015.

Today we release our work on Randstorm: a vulnerability affecting a significant number of browser generated cryptocurrency wallets https://t.co/CebdytNaC6

Reporting @washingtonpost https://t.co/OzYDq2tH4W

Technical write-up: https://t.co/HPqjtaX1CA #Bitcoin #blockchain pic.twitter.com/aN7CZh9sv4
— Unciphered LLC (@uncipheredLLC) November 14, 2023

According to the firm, while working to retrieve a Bitcoin (BTC) wallet for a customer, they discovered a potential issue for wallets generated by BitcoinJS and derivative projects. The issue could possibly affect millions of wallets and around $2.1 billion in crypto assets, according to the cybersecurity company.

The firm also believes that multiple blockchains and projects could be affected. Apart from BTC, the company highlighted that Dogecoin (DOGE), Litecoin (LTC) and Zcash (ZEC) wallets could also potentially contain the vulnerability.

In addition, the company said that millions have already received an alert about the problem. For those who are using crypto wallets generated within the 2011 to 2015 time frame, the company recommends transferring their assets to wallets that were generated more recently. They wrote:

“If you are an individual who has generated a self-custody wallet using a web browser before 2016, you should consider moving your funds to a more recently created wallet generated by trusted software.”

While the company said that not all impacted wallets are affected equally, it also confirmed that the vulnerability is exploitable. However, the company did not provide any details about the exploitation of the vulnerability to avoid providing more information to bad actors in the space.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

WinRAR patches zero-day bug that targeted stock and crypto traders

August 25, 2023 Coin Telegraph

Coin Telegraph

According to cybersecurity firm Group-IB, weaponized ZIP file archives were being shared on crypto trading forums, with each one containing a nasty surprise.

The developers behind file compression software WinRAR have patched a zero-day vulnerability that allowed hackers to install malware onto unsuspecting victims' computers, enabling them to hack into their crypto and stock trading accounts.

On Aug. 23, Singapore-based cybersecurity firm Group-IB reported a zero-day vulnerability in the processing of the ZIP file format by WinRAR.

The zero-day vulnerability tracked as CVE-2023-38831, was exploited for approximately four months, allowing hackers to install malware when a victim clicked on files in an archive. The malware would then allow hackers to breach online crypto and stock trading accounts, according to the report.

Using the exploit, the threat actors were able to create malicious RAR and ZIP archives that displayed seemingly innocent files such as JPG images or PDF text documents. These weaponized ZIP archives were then distributed on trading forums targeting crypto traders offering strategies such as "best Personal Strategy to trade with Bitcoin."

Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.

The report confirmed that the malicious archives found their way onto at least eight public trading forums infecting at least 130 devices, however, the victim's financial losses were unknown.

*WinRar exploit infection chain. Source: Group-IB*

On execution, the script launches a self-extracting (SFX) archive that infects the target computer with various malware strains, such as the DarkMe, GuLoader, and Remcos RAT.

These provide the attacker with remote access privileges on the infected computer. DarkMe malware has previously been used in crypto and financially motivated attacks.

The researchers notified RARLABS which patched the zero-day vulnerability in WinRAR version 6.23, released on Aug. 2.

In August, smartphone giant BlackBerry identified several malware families that actively aimed to hijack computers to mine or steal cryptocurrencies.

The same month also revealed a newly discovered remote access tool called HVNC (Hidden Virtual Network Computer) that can enable hackers to compromise Apple operating systems was found on sale on the dark web.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Cypher Protocol reveals $600K of stolen funds is now frozen on CEXs

August 18, 2023 Coin Telegraph

Cypher Protocol reveals 0K of stolen funds is now frozen on CEXs

CEX

Solana-based Cypher Protocol has managed to stop around $600,000 of stolen funds from exiting various centralized exchanges.

Solana-based decentralized futures exchange Cypher Protocol has managed to freeze $600,000 worth of crypto stolen from an Aug. 7 security exploit.

In an X (Twitter) post on Aug. 18, Cypher Protocol reported that more than half of the funds stolen have been successfully frozen across centralized exchanges with the help of several independent blockchain investigators.

“The return of these funds will be predicated on the cooperation of these CEXs and seizure warrants being issued by law enforcement,” it said.

update from cypher

~$600k has been frozen across CEXs, the return of these funds will be predicated on the cooperation of these CEXs and seizure warrants being issued by law enforcement
— cypher ©️ (@cypher_protocol) August 17, 2023

Cypher was exploited on Aug. 7 for around $1 million resulting in the protocol halting its smart contracts.

The DeFi exchange enables lending and borrowing through primary accounts with multiple cross-collateralized sub-accounts. However, the vulnerabilities prevented proper tracking of isolated sub-accounts and insufficient margin checks before borrowing, explained blockchain security firm Halborn.

The attacker exploited these code vulnerabilities using multiple accounts to drain an estimated $1 million in various crypto assets including USDT, USDT, SOL, wETH, and a handful of other altcoins.

On Aug. 10, the team managed to make contact with the hacker after it had offered a 10% white hat bounty worth around $120,000.

Two days later, the protocol said the hacker had missed the deadline to return the funds and opened the bounty up to the public. They also hinted at knowing the partial identity of the exploiter.

The reward bounty is now open to the public pic.twitter.com/fEIiQ8rTKN
— cypher ©️ (@cypher_protocol) August 12, 2023

On Aug. 16, Cypher announced a redemption plan and “socialized losses policy” to distribute remaining assets to affected users. A redemption package with protocol assets will be distributed pro rata based on user share, it stated.

“The value used for redemption in relation to a margin account will be based on a snapshot of the account’s assets at the time Cypher protocol was frozen,” totaling around 31 cents on the dollar it added.

*Screenshot from Cypher redemption package. Source: Cypherlabs*

In its latest statement, Cypher thanked blockchain sleuth ZachXBT, adding “he was invaluable to the Cypher team and the main contributor in the initial freezing of funds across multiple CEXs, and also aided in tracking the attacker.”

Cointelegraph reached out to ZachXBT for comment but had not heard back at the time of writing.

According to the De.Fi Rekt database, the Cypher exploit was not the largest so far in August, coming in third.

DeFi protocol Zunami suffered a $2.1 million flash loan attack on Aug. 13 and leveraged yield aggregation platform Steadefi was exploited for $1.1 million on Aug. 7.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered

April 10, 2023 Bitcoin.com

Rogue Validator Exploits MEV Bots on Ethereum, Resulting in $25.3M in Crypto Losses

April 4, 2023 Bitcoin.com

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

March 27, 2023 Coin Telegraph

<div>M 'exit scam' suspected as Kokomo Finance flies off radar, token plunges</div>

0xGuard

Kokomo Finance's social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked out from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 Twitter post, noting that the Kokomo Finance (KOKO) token has plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

*Kokomo Finance has either deactivated or deleted its Twitter account. Source:* *Twitter*

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

#CertiKSkynetAlert

On 26 March 2023, Kokomo Finance conducted an exit scam and stole ~$4 million in user funds.

Details Below https://t.co/BEPwfahblz
— CertiK Alert (@CertiKAlert) March 26, 2023

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

*Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source:* *Optimistic Etherscan*

A CertiK spokesperson told Cointelegraph that it was the largest "incident" that they’ve detected on Optimism.

Kokomo Finance is an open-source and non-custodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and DAI.

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

*The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source:* *CoinGecko*

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

@KokomoFinance is an open source and non-custodial lending protocol built on Optimism and @arbitrum .
- Launch on @DefiLlama
- Audited by @0xGuard $KOKO TVL : 2M, is continuously increasing, money will flow into this lending platform soon when it is deployed on @Arbitrum. pic.twitter.com/RduuHBWX39
— Az.eth (@0x_az) March 26, 2023

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, however, all of these links now lead to some form of an error page, suggesting the page has been removed.

Cointelegraph came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found and the owner of the KOKO token was found to have a one-time ability to 45% of the maximum supply to an arbitrary address.

*Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source:* *GitHub*

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over $1.5M in Bitcoin Stolen

March 19, 2023 Bitcoin.com

BitGo patches critical vulnerability first discovered by Fireblocks

March 17, 2023 Coin Telegraph

attackers

BitGo has patched a vulnerability that threatened to expose the private keys of retail and institutional users.

Cryptocurrency wallet BitGo has patched a critical vulnerability that could have exposed the private keys of retail and institutional users.

Cryptography research team Fireblocks identified the flaw and notified the BitGo team in December 2022. The vulnerability was related to BitGo Threshold Signature Scheme (TSS) wallets and had the potential to expose the private keys of exchanges, banks, businesses and users of the platform.

The Fireblocks team named the vulnerability the BitGo Zero Proof Vulnerability, which would allow potential attackers to extract a private key in under a minute using a small amount of JavaScript code. BitGo suspended the vulnerable service on Dec. 10 and released a patch in February 2023 that required client-side updates to the latest version by March 17.

The Fireblocks team outlined how it identified the exploit using a free BitGo account on mainnet. A missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.

Industry standard enterprise-grade cryptocurrency asset platforms make use of either multi-party-computation (MPC/TSS) or multi-signature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties, to ensure security controls if one party is compromised.

Fireblocks was able to prove that internal or external attackers could gain access to a full private key through two possible means.

A compromised client-side user could initiate a transaction to acquire a portion of the private key held in BitGo’s system. BitGo would then perform the signing computation before sharing information that leaks the BitGo key shard.

“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”

The second scenario considered an attack if BitGo was compromised. An attacker would wait for a customer to initiate a transaction, before replying with a malicious value. This is then used to sign the transaction with the customer’s key shard. The attacker can use the response to reveal the user’s key shard, before combining that with BitGo’s key shard to take control of the wallet.

Fireblocks notes that no attacks have been carried out by the identified vector, but warned users to consider creating new wallets and moving funds from ECDSA TSS BitGo wallets prior to the patch

Hacks of wallets have been commonplace across the cryptocurrency industry in recent years. In August 2022, over $8 million was drained from over 7000 Solana-based Slope wallets. Algorand network wallet service MyAlgo was also targeted by a wallet hack that saw over $9 million drained from various high-profile wallets.

Euler Finance’s offer to hacker: Keep $20M or face the law

March 15, 2023 Coin Telegraph

Euler Finance’s offer to hacker: Keep M or face the law

attack

The hacker committed a $196 million flash loan attack on the Ethereum-based lending protocol on March 13.

Ethereum-based noncustodial lending protocol Euler Finance is trying to cut a deal with the exploiter that stole millions from its protocol, demanding the hacker returns 90% of the funds they stole within 24 hours or face legal consequences.

Euler Labs sent its ultimatum to the flash loan attacker who exploited the platform for $196 million by transferring the hacker 0 Ether (ETH) with an attached message on March 14:

“Following up on our message from yesterday. If 90% of the funds are not returned within 24 hours, tomorrow we will launch a $1M reward for information that leads to your arrest and the return of all funds.”

euler just sent an on-chain message to the hacker pic.twitter.com/0wKIW51NjM
— 0xngmi (llamazip arc) (@0xngmi) March 14, 2023

The threat of law enforcement comes as Euler sent the hacker a much more civil message the day before.

“We understand you are responsible for this morning’s attack on the Euler platform,” it read. “We are writing to see whether you would be open to speaking with us about any potential next steps.”

The request for a 90% fund return would see the hacker send back $176.4 million while holding onto the remaining $19.6 million.

However, many observers have noted that the hacker has very little to no incentive to follow through with the deal.

Look over your shoulder for the rest of your life, or take a $20m deal. No brainer.

Although, they could easily be state actors and aren’t really worried about low levels feds. https://t.co/i5zUSDqFca
— drnick ️² (@DrNickA) March 15, 2023

“If I was the hacker I’d simply say ‘to anyone who manages to track me down, I will give you $2 million not to tell Euler,’” one observer said.

“Yeh he has 200 Million they have 2 Million. He wins in a bidding war,” another Twitter user wrote in response.

Euler Labs said it was already working with law enforcement in the United States and the United Kingdom, along with engaging blockchain intelligence platforms Chainalysis, TRM Labs and the broader Ethereum community, to help track down the hacker.

An update on our work today to recover funds for Euler protocol users.

Here are a few actions we took immediately:

1. Stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function

2. Engaged TRM… https://t.co/6ZClE9uGoH
— Euler Labs (@eulerfinance) March 14, 2023

The lending platform added it was able to promptly stop the flash loan attack by blocking deposits and the “vulnerable” donation function.

As for the exploited code, the team explained that the vulnerability “was not discovered” in the audit of its smart contract, which had existed on-chain for eight months until bei exploited on March 13.

Euler Labs works with various security groups to perform audits of the Euler Finance protocol.

While the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit.

The vulnerability remained on-chain for eight… https://t.co/M3PYSOwHhL
— Euler Labs (@eulerfinance) March 14, 2023

Vulnerability

Share this video