A leading security firm, Halborn, has uncovered a critical vulnerability in the open-source codebase of several blockchain networks, including Dogecoin, Litecoin, and Zcash. The vulnerability has been named Rab13s, and it puts over $25 billion in digital assets at risk.
According to the blog post, after being contracted to evaluate the Dogecoin open-source codebase, Halborn discovered several exploitable vulnerabilities that have since been fixed by the Dogecoin team.
However, upon further review, the same vulnerabilities were found in over 280 other networks, including Litecoin and Zcash. Halborn’s Senior Offensive Security Engineer, Hossam Mohamed, led the research team that uncovered the vulnerabilities.
The blog post claimed that the most critical vulnerability found by Halborn was related to the peer-to-peer communications of affected networks. Attackers can craft consensus messages and send them to individual nodes, taking them offline.
Furthermore, an attacker can crawl the network peers using a “getaddr” message and attack “unpatched nodes. While some of the other issues were known CVEs” from Bitcoin, a zero-day vulnerability was uniquely related to Dogecoin, impacting individual miners via an RPC Remote code execution vulnerability.
After discovering zero-day vulnerabilities in certain blockchain networks, such as Litecoin and Zcash, Halborn has attempted to contact all affected networks for responsible disclosure. They urge all impacted networks to reach out for more information.
Node Upgrade Like Dogecoin: Latest Version 1.14.6
The vulnerabilities, known as Rab13s, were found in the p2p messaging mechanisms of affected networks. Due to their simplicity, these vulnerabilities increase the likelihood of attack.
Exploiting Rab13s enables attackers to send malicious consensus messages to individual nodes, causing them to shut down and exposing the network to risks such as 51% attacks and other severe issues.
Halborn has created an exploit kit for Rab13s, complete with a proof of concept that includes configurable parameters to demonstrate attacks on different networks.
They have provided all necessary technical information to identified stakeholders to help remediate the bugs and release necessary patches for the community and miners.
For projects using a UTXO-based node (e.g., Dogecoin), Halborn recommends upgrading all nodes to the latest version (1.14.6). Due to the severity of the issues, Halborn is not releasing further technical or exploit details at this time.
Nevertheless, the discovery of the Rab13s vulnerability highlights the need for ongoing security assessments in blockchain networks.
Halborn’s work in identifying and remediating the vulnerabilities in affected networks serves as a reminder of the importance of responsible disclosure and the need for collaboration to ensure the security and integrity of the digital asset space.
Related Reading | Peter Schiff Predicts Bitcoin’s Sharp Decline Despite Its Growth Compared To Other Assets