vulnerability

Bitcoin Ordinals could be stopped if blockchain bug is patched, claims dev

A Bitcoin Core developer claimed Bitcoin Ordinals exploit a vulnerability allowing inscribers to bypass data size limits, which could soon be fixed.

A bug fix on the Bitcoin network could put a stop to new Bitcoin Ordinals and BRC-20 tokens causing network congestion by “exploiting a vulnerability,” claims a Bitcoin Core developer.

In a Dec. 6 X (formerly Twitter) post, developer Luke Dashjr said inscriptions — used by Ordinals and BRC-20 creators to embed data on satoshi’s — exploit a Bitcoin Core vulnerability to “spam the blockchain.”

He explained the Bitcoin Core code has allowed users to set limits on the size of extra data in transactions since 2013, but “by obfuscating their data as program code, inscriptions bypass this limit.”

Read more

BitGo patches critical vulnerability first discovered by Fireblocks

BitGo has patched a vulnerability that threatened to expose the private keys of retail and institutional users.

Cryptocurrency wallet BitGo has patched a critical vulnerability that could have exposed the private keys of retail and institutional users.

Cryptography research team Fireblocks identified the flaw and notified the BitGo team in December 2022. The vulnerability was related to BitGo Threshold Signature Scheme (TSS) wallets and had the potential to expose the private keys of exchanges, banks, businesses and users of the platform.

The Fireblocks team named the vulnerability the BitGo Zero Proof Vulnerability, which would allow potential attackers to extract a private key in under a minute using a small amount of JavaScript code. BitGo suspended the vulnerable service on Dec. 10 and released a patch in February 2023 that required client-side updates to the latest version by March 17.

The Fireblocks team outlined how it identified the exploit using a free BitGo account on mainnet. A missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.

Related: Euler Finance hacked for over $195M in a flash loan attack

Industry-standard enterprise-grade cryptocurrency asset platforms make use of either multiparty-computation (MPC/TSS) or multisignature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties, to ensure security controls if one party is compromised.

Fireblocks was able to prove that internal or external attackers could gain access to a full private key through two possible means.

A compromised client-side user could initiate a transaction to acquire a portion of the private key held in BitGo’s system. BitGo would then perform the signing computation before sharing information that leaks the BitGo key shard.

“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”

The second scenario considered an attack if BitGo was compromised. An attacker would wait for a customer to initiate a transaction, before replying with a malicious value. This is then used to sign the transaction with the customer’s key shard. The attacker can use the response to reveal the user’s key shard, before combining that with BitGo’s key shard to take control of the wallet.

Fireblocks noted that no attacks have been carried out by the identified vector but warned users to consider creating new wallets and moving funds from ECDSA TSS BitGo wallets prior to the patch

Hacks of wallets have been commonplace across the cryptocurrency industry in recent years. In August 2022, over $8 million was drained from over 7,000 Solana-based Slope wallets. Algorand network wallet service MyAlgo was also targeted by a wallet hack that saw over $9 million drained from various high-profile wallets.

OpenSea patches vulnerability that potentially exposed users’ identities

Cybersecurity firm Imperva found a vulnerability that could be used to leak user information such as email addresses and phone numbers, which has now been patched.

Nonfungible token marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could have exposed identifying information about its anonymous users. 

In a March 9 blog post blog, cybersecurity firm Imperva detailed how it discovered the vulnerability, which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, or an email in certain conditions” to an NFT.

As the NFT corresponds to a cryptocurrency wallet address, a user’s real identity could be revealed from the information gathered and linked to the wallet and its activity, Imperva explained.

The exploit is understood to have taken advantage of a cross-site search vulnerability. Imperva claimed OpenSea had misconfigured a library that resizes webpage elements that load HTML content from elsewhere that are typically used to place ads, interactive content, or embedded videos.

As OpenSea didn’t restrict this library’s communications, exploiters could use the information it broadcasts as an “oracle” to narrow down when searches return no results as the webpage would be smaller.

Imperva detailed that an attacker would send their target a link through email or SMS, which if clicked “reveals valuable information, such as the target’s IP address, user agent, device details, and software versions.”

Screenshot of OpenSea’s front page. Source: OpenSea

The attacker would then use OpenSea’s vulnerability to extract the NFT names of their target and associate the corresponding wallet address with identifying information such as an email or phone number which was sent the original link.

Imperva said OpenSea “quickly addressed the issue” and properly restricted the library’s communications, reporting that the platform “was no longer at risk of such attacks.”

Related: Security team creates dashboard to detect potential NFT hacks in OpenSea

Users of the platform have long been victims of attacks that mimic OpenSea’s functions to undertake exploits, such as phishing websites that resemble the platform or signature requests appearing to originate from OpenSea.

OpenSea itself has faced criticism for its platform security due to a major phishing attack in February 2022 that resulted in over $1.7 million worth of NFTs being stolen from users.

As for the recent patch, it’s unknown how long it existed or if any users had been affected by the exploit.

OpenSea did not immediately respond to Cointelegraph’s request for comment.

DeFi auditor nets $40,000 for identifying Uniswap vulnerability

A security firm flagged a now-fixed vulnerability to Uniswap, highlighting the potential for reentrancy attacks on the protocol’s Universal Router smart contract.

Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.

The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.

Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts toward the end of 2022 as it looked to assure the safety and efficacy of its protocol.

Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.

According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.

The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.

Related: Immunefi says it has facilitated $66M in bug bounties since inception 

However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.

Dedaub then suggested a straightforward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router. Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.

Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have a high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered a user error.

More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.

Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure. 

Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.

This AI chatbot is either an exploiter’s dream or their nightmare

The crypto community has come across an AI-powered chatbot that can be used to audit smart contracts and expose vulnerabilities.

The online crypto community has discovered a new Artificial Intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them. 

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the Decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we’re all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

ChatGPT’s example Solidity smart contract for NFT staking rewards from a simple prompt. Image: Cointelegraph.

Despite the chatbot’s ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn’t perfect.

Related: Secret Network resolves network vulnerability following white hat disclosure

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.

This AI chatbot is either an exploiter’s dream or their nightmare

The crypto community has come across an AI-powered chatbot that can be used to audit smart contracts and expose vulnerabilities.

The online crypto community has discovered a new artificial intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them. 

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we’re all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

ChatGPT’s example Solidity smart contract for NFT staking rewards from a simple prompt. Image: Cointelegraph.

Despite the chatbot’s ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn’t perfect.

Related: Secret Network resolves network vulnerability following white hat disclosure

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.