Halborn Profile picture
Mar 13 10 tweets 3 min read
🚨 Halborn discovered massive #ZeroDay impacting Dogecoin and 280+ networks including Litecoin and Zcash, putting over $25 Billion of digital assets at risk!

🧵👇...
1/ In March 2022, Halborn started to evaluate #dogecoin under a contract and found several vulnerabilities which were fixed by the Dogecoin team.
2/ During the assessment, it was found that the same vulns affected over 280 other networks including #litecoin and #zcash, which have since then been addressed and patched.
3/ The most critical vulnerability discovered is related to peer-to-peer (p2p) communications where attackers can craft consensus messages and send it to individual nodes, taking them offline.

Halborn researchers, led by @safe_buffer, have code-named this vulnerability #Rab13s.
4/ Another zero-day identified by Halborn was uniquely related to #Dogecoin, including an RPC vulnerability impacting individual miners.

Subsequently, variants of these 0-days were also discovered in similar blockchain networks potentially leading to DoS or RCE attacks.
5/ A good faith effort has been made to contact the affected networks for a responsible disclosure. However, all affected networks are encouraged to contact Halborn on disclosures@halborn.com
6/ 🤔 What are the consequences?

👉 Firstly, vulnerabilities were found in the p2p messaging mechanisms. Malicious consensus messages can be sent to each node, causing them to shut down and exposing the network to severe risks like 51% attacks.
7/ 👉 Secondly, attackers can execute code through the public interface (RPC) as a normal node user. Since a valid credential is required to carry out the attack, the likelihood of this exploit is lower.
8/ Remediation👇
Halborn recommends upgrading all UTXO-based nodes (e.g. Dogecoin) to the latest version (1.14.6).
Considering the severity of the issue, Halborn will not release the technical details or exploit details at this time.
9/ Keep an eye on our blog and follow us on Twitter (@HalbornSecurity) for the latest updates.
halborn.com/blog/post/halb…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Halborn

Halborn Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @HalbornSecurity

Mar 13
1/ Solidity is indispensable for developers building #decentralized applications‼️ This article will discuss how the delegatecall in #Solidity can introduce vulnerabilities in #smartcontracts and highlight measures for preventing issues associated with using it in your code.💡
2/ 𝗪𝗵𝗮𝘁 𝗜𝘀 𝗗𝗲𝗹𝗲𝗴𝗮𝘁𝗲𝗰𝗮𝗹𝗹?
In #Solidity, call and delegatecall are low-level interfaces for interacting with contracts. Triggering the call function in a contract causes the code at that address to execute in the context of the target contract.
3/ #delegatecall works differently because execution occurs in the context (programming environment) of the caller contract. For example, a delegatecall from contract A to contract B would modify contract B’s storage using functions in contract A. #smartcontracts Image
Read 5 tweets
Nov 15, 2022
1/ In November 2022, Skyward Finance became the first project in the NEAR ecosystem on the Rekt leaderboard of the biggest #DeFi hacks. The attacker exploited vulnerabilities in the Skyward contracts to drain approximately $3.2 million in tokens from the project. #cryptocurrency
2/ The Skyward hack was made possible by a vulnerability in the redeem_skyward function within the project’s #SmartContracts. This function allows users to redeem the SKYWARD tokens they have earned for wNEAR tokens stored within the contract.

#Hacked #Blockchain #Security
3/ The redeem_skyward function failed to properly validate token_account_ids when processing redemptions. The function verified that a provided token_account_id was valid but not that it was unique. The attacker exploited this vulnerability.

#CyberSecurity #Blockchain #Hacked
Read 6 tweets
Nov 14, 2022
1/ Let's compare the four main types of #Blockchain Networks!🔗

We'll take a look at the main features, advantages, and disadvantages of each.
2/ Public: Public blockchains are permissionless, decentralized networks accessible to anyone.

#blockchain #decentralized
3/ Private: Private blockchains are dedicated networks that restrict access to transaction data to invited users only, which means they are “permissioned”.
Read 7 tweets
Oct 6, 2022
1/ 🤫 Proving knowledge of a secret is a common requirement in security. For example, passwords are the most common form of user authentication.

Password-based authentication requires both parties (the user and the server) to know the secret.
2/ 0️⃣ Zero-knowledge proofs (or ZKPs) provide an alternative. With a ZKP, the prover can prove knowledge of a secret without revealing the secret itself.
3/ 🕵️ There is limited privacy on the blockchain because anyone can see the contents of an account’s wallet and every transaction that it has performed.
Read 5 tweets
Oct 5, 2022
1/ ⛓️ Once and for all, how do Bitcoin and Ethereum compare? We explore...
2/ 🪙 Bitcoin is a decentralized, peer-to-peer digital currency that enables instant, global payments to anyone, anywhere.
3/ 📜 The Ethereum Virtual Machine (EVM) is essentially a piece of software that runs smart contracts.

The core value proposition of the EVM is its enablement of decentralized applications (dApps).
Read 9 tweets
Oct 5, 2022
1/ 🚩 Exit scams are one of the major risks of investing in a cryptocurrency project. There are 7 red flags that may be a cause for concern...
2/ 🕵️ Anonymous Teams: It is much easier for a project team to steal the project’s funds and disappear if no one knows who they truly are.
3/ 📂 Unprofessional or Incomplete Materials: If the project website is incomplete, unprofessional, or largely ripped off from another DeFi project, it may indicate that the team was throwing something together that was just designed to last long enough for the scam.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(