An estimated 280 or more blockchain networks are at risk of “zero-day” vulnerabilities that could put at least $25 billion worth of crypto at risk, according to cybersecurity firm Halborn.
On a March 13 BlogHalborn warned about the vulnerability that he dubbed "Rab13s," adding that he has already worked with some blockchains, such as Dogecoin, Litecoin, and Zcash, to institute a fix.
Halborn discovered enormous #Day zero impacting Dogecoin and more than 280 networks including Litecoin and Zcash, putting more than $25 billion in digital assets at risk!
...
—Halborn (@HalbornSecurity) March 13, 2023
Dogecoin hired Halborn in March 2022 to perform a security review of their codebase and found "several critical and exploitable vulnerabilities."
He later determined those same vulnerabilities “affected 280 other networks” that risked billions of dollars in cryptocurrency.
Halborn described three vulnerabilities, the "most critical" of which allows an attacker to "send crafted malicious consensus messages to individual nodes, causing each one to shut down."
3/ The most critical vulnerability discovered is related to peer-to-peer (p2p) communications where attackers can create consensus messages and send them to individual nodes, disconnecting them.
The Halborn researchers, led by @safe_bufferyou have codenamed this vulnerability #Rab13s.
—Halborn (@HalbornSecurity) March 13, 2023
He added that these messages over time could expose the blockchain to a 51% attack where an attacker controls the majority of the network mining hash rate or staked tokens to create a new version of the blockchain or take it offline.
Other zero-day vulnerabilities it found would allow potential attackers to block themselves blockchain nodes by sending Remote Procedure Call (RPC) requests, a protocol that allows one program to communicate with and request services from another.
7/ Second, attackers can execute code through the public interface (RPC) as a normal node user. Since a valid credential is required to carry out the attack, the probability of this exploit is lower.
—Halborn (@HalbornSecurity) March 13, 2023
He added that the likelihood of RPC-related vulnerabilities was lower, since it requires valid credentials to perform the attack.
“Due to code base differences between networks, not all vulnerabilities are exploitable on all networks, but at least one of them may be exploitable on every network,” Halborn warned.
Related: Jump Crypto and Oasis.app 'Counter-exploit' Hacker Wormhole for $225M
The firm said it would not release further technical details of the exploits at this time due to their severity, adding that it made a "good faith effort" to contact all affected parties to disclose the potential exploits and provide remediation for the vulnerabilities. .
Dogecoin, Zcash and Litecoin have already implemented patches for the discovered vulnerabilities, but hundreds could still be exposed according to Halborn.
Post navigation
Previous Post
The State Tackles Cryptocurrency
