- ZenGo reveals security risks in many Web3 vendors.
- The crypto wallet is awarded bug bounties and grants.
- Called a “red pill attack,” it can steal user assets.
ZenGo crypto wallet developers have discovered security vulnerabilities in DApps (Decentralised Applications) around the Web3 space.
On March 20, ZenGo, a crypto wallet, published a blog post explaining how it came across security risks in transaction simulation solutions used by most DApps. It is named “Red Pill Attack” from the red pill in the famous movie franchise Matrix.’
The malicious intent of these security vulnerabilities is to steal user assets through preliminary transaction approvals offered and authorized by users. ZenGo stated that it could only come across these vulnerabilities due to its research on blockchain security.
According to the blog post, multiple vendors offering transaction simulation solutions were found to have been victims of these security attacks. They had since rectified them when it was brought to their notice by ZenGo. Some of these vendors did not let ZenGo’s good deed go unrewarded, as the crypto wallet received multiple bug bounties and an Ethereum Foundation $50,000 grant.
Additionally, ZenGo mentioned that if malware can detect being executed in a simulated environment or within the Matrix, it can act benignly and deceive the anti-malware solution. Still, it can only reveal its initial intent when executed in a natural environment.
How Does This Work?
ZenGo stated that these security vulnerabilities lie in smart contracts, and by using an example, the developers explained how they are operated. This error can be blamed on programming oversight in “special variables” among smart contracts collecting information on the blockchain functionality or data on the user-controlled parameters of the transaction.
“Since these variables can take a range of values, they have no accurate value. Hence, it was tempting for simulation creators to take a shortcut and set them to a constant value.”
Using “COINBASE” as an example to bolster the explanation, ZenGo said that the “COINBASE” instructions could include the address of the present block miner. Since there is no fundamental block during simulation, there is also no miner, allowing some simulation implementations to set it to a null address (zeros address).
“If COINBASE is zero, the contract will return some coins, making the transaction profitable for the user as its wallet simulated it. However, when the user moves the transaction on-chain, COINBASE is filled with the non-zero address of the existing miner, and the malicious contract steals the transferred coins,” the developers explained.
After demonstrating how the red pill attack is executed on a YouTube video, ZenGo suggested a solution to rectify it. Rather than populating these vulnerable variables with unsteady values, the simulation should populate them with significant values.
Conclusion
Decentralized Applications (DApps) are the foundation of user interaction in the Web3 universe. Hence, blockchain security is highly recommended. ZenGo’s discovery has alerted Web3 vendors about a programming oversight that could prove harmful.
