ZenGo uncovers 'red pill attack' vulnerability in popular Web3 apps

According to a blog station published by developers of crypto wallet ZenGo, the steadfast said it had uncovered information vulnerabilities in, transaction simulation solutions utilized by fashionable decentralized applications, oregon dApps. Dubbed the "red pill attack," this vulnerability allowed malicious dApps to bargain idiosyncratic assets based connected opaque transaction approvals offered to and approved by users. The vulnerability derives its sanction from the iconic "red pill" country from The Matrix movie series. 

"If malware is capable to observe its really being executed successful a simulated situation oregon surviving successful the matrix, it tin behave successful a benign manner, frankincense deceiving the anti-malware solution, and uncover its existent malicious quality lone erstwhile really executed successful a existent environment."

ZenGo claimed its probe revealed that galore starring vendors, including Coinbase Wallet, were astatine 1 constituent successful clip susceptible to specified attacks. "All vendors were precise receptive to our reports," said ZenGo, "and astir of them were speedy to hole their faulty implementations."

The vulnerability is imaginable owed to a programming oversight successful "Special Variables" among astute contracts storing wide accusation connected the blockchain functionality, specified arsenic timestamp of the existent block. During simulations however, ZenGo says determination is nary close worth for Special Variables and claims developers "take a shortcut" and acceptable them to an arbitrary value.

"For example, the "COINBASE" acquisition contains the code of the existent artifact miner. Since during simulation determination is nary existent artifact and hence nary miner, immoderate simulation implementations conscionable acceptable it to the null code (all zeros address)."

In a video, ZenGo developers demonstrated however a astute declaration simulation connected Polygon (MATIC) asks users to nonstop autochthonal coins successful speech for different could beryllium compromised via this method:

"When the idiosyncratic really sends the transaction on-chain, COINBASE [Wallet] is really filled with the non-zero code of the existent miner and the declaration conscionable takes the sent coins."

ZenGo said the hole for the vulnerability was straightforward: "instead of populating these susceptible variables with arbitrary values, the simulations request to populate them with meaningful values." The steadfast presented redacted screenshots of bug bounties, seemingly awarded by Coinbase, for solving the issue. The Ethereum (ETH) Foundation has besides awarded ZenGo a $50,000 assistance for their probe connected transaction simulations.

— Pocket Universe (@PocketUniverseZ) January 27, 2023