Coinbase Wallet Exposed to Attackers Due to ‘Red Pill’ Flaw, Causing Security Concerns
- Written by Ari Denial Cybersecurity & Tech Writer
Vulnerability found in Coinbase Wallet and other decentralized Crypto Apps, allowing malicious smart contract behavior to evade security features through Red Pill attacks.
Coinbase is a top crypto exchange that enables users to store, manage, and purchase ERC-20 Tokens, Bitcoin & Ethereum through its popular wallet app. ZenGo discovered the Red Pill attack exploiting security flaws shared by Coinbase and other cryptocurrency wallet providers.
Transaction simulation is a common security feature in Web3 platforms that uses sandbox emulation to anticipate the results of cryptocurrency transactions before they are executed. Its main purpose is to prevent cryptocurrency scams and theft by allowing users to test and preview their transactions before initiating them.
ZenGo identified a technique called “red pill attack” that exploits transaction simulators and enables the theft of cryptocurrency. The attack relies on the malware identifying that it is operating in a simulation, allowing it to deceive anti-malware solutions and reveal its malicious intent only when executed in a real environment, according to ZenGo’s research blog.
Smart contracts can also be exploited by threat actors for malicious purposes, such as stealing cryptocurrency that has been sent or draining a wallet of its assets.
Distinguishing between malicious and legitimate contract signing requests is difficult, posing a challenge for cryptocurrency holders trying to navigate potential dangers.
The six cryptocurrency wallet apps that were found to be vulnerable to “red pill attacks” by ZenGo Wallet are Coinbase wallet, Rabby wallet, Blowfish, PocketUniverse, Fire Extension, and an unnamed extension that has yet to address the issue.
Following the report from ZenGo Wallet, all of the mentioned vendors, except for one unnamed extension, have implemented fixes on their transaction simulation to address the vulnerability.
To prevent the use of vulnerable variables as “red pills” in malicious contracts, the fix for this attack is to stop using arbitrary values for such variables.
Leading Cryptocurrency ATM Manufacturer General Bytes Loses $1.5M in Bitcoin in Hacking Attack
- Written by Ari Denial Cybersecurity & Tech Writer
General Bytes reportedly experienced a security breach enabling an attacker to remotely access the master service interface and transfer funds from hot wallets. As a result, the majority of cryptocurrency ATM operators in the US had to temporarily suspend operations. The attacker successfully liquidated 56.28 bitcoins worth approximately $1.5 million from about 15 to 20 crypto ATM operators nationwide.
During the weekend, the company revealed that cybercriminals took advantage of a zero-day vulnerability, known as BATM-4780, to upload a Java application remotely via the ATM’s master service interface and execute it with ‘batm’ user privileges.
General Bytes clarified in their security incident disclosure that the perpetrator scanned the Digital Ocean cloud hosting IP address range and found running CAS services on ports 7741, which included the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (which is their recommended cloud hosting provider).
Upon uploading the Java application, the attackers were able to execute the actions, General Bytes cautioned that both their customers and their own cloud service were compromised during the attacks.
While the company revealed the amount of money stolen by the attacker, they also shared a list of cryptocurrency addresses used by the hacker during the attack .
As of the latest update, the stolen cryptocurrency remains in the Bitcoin wallet. However, it seems that the attackers have converted the stolen Ethereum to USDT using Uniswap.
Even if there are no signs of a security breach, General Bytes advises all users to assume that their CAS passwords and API keys have been compromised and to immediately invalidate and generate new ones. Additionally, all user passwords should be reset as a precautionary measure.
The company has announced plans to conduct multiple security audits of its products by several firms within a short timeframe, in an effort to identify and resolve any other potential vulnerabilities before they can be exploited by malicious actors.
