1. Home
  2. Vulnerability

Vulnerability

More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm

Dogecoin, Zcash and Litecoin have already patched the “critical” vulnerability, but hundreds of others may not have, risking billions’ worth of crypto.

More than 280 blockchain networks are at risk of “zero-day” exploits that could put at least $25 billion worth of crypto at risk, according to cybersecurity firm Halborn.

In a March 13 blog post, Halborn warned of the vulnerability it dubbed “Rab13s” — adding it has already worked with some blockchains, such as Dogecoin, Litecoin and Zcash, to institute a fix for it.

Halborn said it was contracted in March 2022 to conduct a security review of Dogecoin’s codebase and found “several critical and exploitable vulnerabilities.”

It later determined those same vulnerabilities “affected over 280 other networks” that risked billions of dollars worth of cryptocurrencies.

Halborn outlined three vulnerabilities, the “most critical” of which allows an attacker to “send crafted malicious consensus messages to individual nodes, causing each to shut down.”

It added these messages over time could expose the blockchain to a 51% attack where an attacker controls the majority of the network’s mining hash rate or staked tokens to make a new version of the blockchain or take it offline.

Other zero-day vulnerabilities it found would allow potential attackers to crash blockchain nodes by sending Remote Procedure Call (RPC) requests — a protocol allowing a program to communicate and request services from another.

It added the likelihood of RPC-related exploits was lower as it requires valid credentials to undertake the attack.

“Due to codebase differences between the networks not all the vulnerabilities are exploitable on all the networks, but at least one of them may be exploitable on each network,” Halborn warned.

Related: Jump Crypto and Oasis.app ‘counter exploits’ Wormhole hacker for $225M

The firm said at this time it’s not releasing further technical details of the exploits due to their severity and added it made a “good faith effort” to contact all affected parties to disclose the potential exploits and provide remediation for the vulnerabilities.

Dogecoin, Zcash and Litecoin have already implemented patches for the discovered vulnerabilities, but hundreds could still be exposed, according to Halborn.

Infomon Blends Pokémon Go With NFTs and X Integration

OpenSea patches vulnerability that potentially exposed users’ identities

Cybersecurity firm Imperva found a vulnerability that could be used to leak user information such as email addresses and phone numbers, which has now been patched.

Nonfungible token marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could have exposed identifying information about its anonymous users. 

In a March 9 blog post blog, cybersecurity firm Imperva detailed how it discovered the vulnerability, which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, or an email in certain conditions” to an NFT.

As the NFT corresponds to a cryptocurrency wallet address, a user’s real identity could be revealed from the information gathered and linked to the wallet and its activity, Imperva explained.

The exploit is understood to have taken advantage of a cross-site search vulnerability. Imperva claimed OpenSea had misconfigured a library that resizes webpage elements that load HTML content from elsewhere that are typically used to place ads, interactive content, or embedded videos.

As OpenSea didn’t restrict this library’s communications, exploiters could use the information it broadcasts as an “oracle” to narrow down when searches return no results as the webpage would be smaller.

Imperva detailed that an attacker would send their target a link through email or SMS, which if clicked “reveals valuable information, such as the target’s IP address, user agent, device details, and software versions.”

Screenshot of OpenSea's front page. Source: OpenSea

The attacker would then use OpenSea’s vulnerability to extract the NFT names of their target and associate the corresponding wallet address with identifying information such as an email or phone number which was sent the original link.

Imperva said OpenSea “quickly addressed the issue” and properly restricted the library’s communications, reporting that the platform “was no longer at risk of such attacks.”

Related: Security team creates dashboard to detect potential NFT hacks in OpenSea

Users of the platform have long been victims of attacks that mimic OpenSea’s functions to undertake exploits, such as phishing websites that resemble the platform or signature requests appearing to originate from OpenSea.

OpenSea itself has faced criticism for its platform security due to a major phishing attack in February 2022 that resulted in over $1.7 million worth of NFTs being stolen from users.

As for the recent patch, it’s unknown how long it existed or if any users had been affected by the exploit.

OpenSea did not immediately respond to Cointelegraph’s request for comment.

Infomon Blends Pokémon Go With NFTs and X Integration

DeFi auditor nets $40,000 for identifying Uniswap vulnerability

A security firm flagged a now-fixed vulnerability to Uniswap, highlighting the potential for reentrancy attacks on the protocol’s Universal Router smart contract.

Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.

The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.

Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022 as it looked to assure the safety and efficacy of its protocol.

Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.

According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.

The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.

Related: Immunefi says it has facilitated $66M in bug bounties since inception 

However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.

Dedaub then suggested a straight-forward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router. Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.

Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered user error.

More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.

Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure. 

Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.

Infomon Blends Pokémon Go With NFTs and X Integration

Breaking: Ankr confirms exploit, asks for immediate trading halt

The decentralized-finance protocol said it is working with exchanges to immediately halt trading of its BNB staking rewards token, aBNBc.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2. 

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance's user funds are not at risk.

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

Infomon Blends Pokémon Go With NFTs and X Integration

This AI chatbot is either an exploiter’s dream or their nightmare

The crypto community has come across an AI-powered chatbot that can be used to audit smart contracts and expose vulnerabilities.

The online crypto community has discovered a new Artificial Intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them. 

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the Decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we're all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

ChatGPT’s example Solidity smart contract for NFT staking rewards from a simple prompt. Image: Cointelegraph.

Despite the chatbot's ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn't perfect.

Related: Secret Network resolves network vulnerability following white hat disclosure

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.

Infomon Blends Pokémon Go With NFTs and X Integration

Solana’s Investigation Indicates Wallet Exploit Tied to Slope Mobile App

Solana’s Investigation Indicates Wallet Exploit Tied to Slope Mobile AppFollowing the Solana wallet attack, the Solana Status team updated the public and detailed that the wallet addresses affected by the breach were tied to Slope mobile wallet applications. The team further stressed that “there is no evidence the Solana protocol or its cryptography was compromised.” Solana Status Report Says Affected Addresses Were at One […]

Infomon Blends Pokémon Go With NFTs and X Integration

Axie Infinity Loses $620 Million After Hacker Compromised Ronin Validators

Axie Infinity Loses 0 Million After Hacker Compromised Ronin ValidatorsAccording to Sky Mavis, the creators of the blockchain NFT game Axie Infinity, the Ronin network has been attacked, and a hacker has managed to siphon 173,600 in ethereum and 25.5 million usd coin (USDC). The attacker has obtained roughly $620 million worth of crypto assets, and the Ronin bridge and Katana Dex have been […]

Infomon Blends Pokémon Go With NFTs and X Integration

HP-Branded Servers Hijacked to Mine $110,000 Worth of Cryptocurrency

HP-Branded Servers Hijacked to Mine 0,000 Worth of CryptocurrencyHackers recently took control of a group of HP-branded servers and used them to remotely mine a cryptocurrency called raptoreum, according to reports. This resulted in the compromised cluster of HP machines becoming the biggest contributor to the total mining pool of the cryptocurrency, allowing attackers to rake in $110,000 worth. The coins are said […]

Infomon Blends Pokémon Go With NFTs and X Integration