- Malicious decentralized applications can steal assets as users approve opaque transactions
- Vulnerability caused by developer omission, random values assigned to special variables
According to research by the developers of ZenGo, a novel cryptocurrency wallet, Coinbase Wallet and other leading vendors can fall victim to security breaches because of a so-called “red pill” vulnerability in transaction simulation solutions, CoinTelegraph wrote.
Users misled to approve opaque transactions
This vulnerability makes it possible for malicious decentralized applications to steal user assets as users approve opaque transactions. Its name comes from the infamous Matrix “red and blue pill” scene.
ZenGo developers added that all vendors they approached about the issue were very receptive to their reports and most of them remedied their faulty implementations quickly.
Programming oversight caused the vulnerability
The vulnerability was caused by developer omission regarding so-called “Special Variables” in smart contracts that hold general data on the functions of the blockchain, like the current block’s timestamp.
ZenGo found these Variables had no accurate values during simulations, which led them to conclude that developers had taken a “shortcut” and assigned a random value to them. They gave Coinbase as an example:
The "COINBASE" instruction contains the address of the current block miner. Since during simulation there is no real block and hence no miner, some simulation implementations just set it to the null address – all zeros address.
Developers showed how this vulnerability could compromise a smart contract simulation on a given blockchain, which asks users to send native tokens in exchange for other assets.
The respective wallet is filled with the current miner’s non-zero address when the user carries out the transaction on the blockchain. The smart contract just takes the tokens sent.
The solution
ZenGo proposed an easy fix: assigning meaningful rather than random values to the vulnerable variables.
Coinbase gave ZenGo rewards for preventing potential issues, of which the company showed redacted screenshots. They also received a $50,000 grant from the Ethereum Foundation for their research on transaction simulations.