Crypto Shuttle News

Tag: security

  • The Security Risks of THORChain (RUNE)

    The Security Risks of THORChain (RUNE)

    [ad_1]

    According to THORChain’s treasury report for Q1 2022 released on April 1, the chain registered a growth in revenue despite the twofold impact of persistent market sluggishness and highly unstable geopolitical factors. Public data shows that THORChain recorded $2.17 billion in revenue in Q1 2022. THORChain, acclaimed as the “cross-chain version of UniSwap”, gained a foothold in the cross-chain trading market relying on its unique advantages and earned extensive recognition among investors.

    Behind all these glamours, THORChain is also deeply troubled by hacking. The chain suffered frequent security breaches since it was launched on Ethereum, a fact that casts doubt on its security. On April 11, THORChain tweeted about phishing attacks, warning users not to interact with [DeTHOR] or other unknown tokens within their wallets, which once again raised concerns about its security issues.

    While building a sound security system for CoinEx products, the CoinEx security team also keeps track of security incidents in the blockchain space to help users better understand the security of different projects from the perspective of technical security and mitigate the investment risk. Aiming to improve the security criteria for the blockchain sector, the CoinEx security team has analyzed the security risks of THORChain (RUNE). The team hopes that THORChain could note and mitigate the following risks by optimizing the relevant smart contract codes. In addition, this article is also a warning for users, reminding them to be more aware of asset security and avoid asset losses.

    How secure is THORChain (RUNE)?

    Through analysis of the contract code and logic of THORChain (RUNE), the CoinEx security team has found the following risks:

    To begin with, let’s check out the contract code of THORChain (RUNE):

    https://etherscan.io/address/0x3155ba85d5f96b2d030a4966af206230e46849cb#code

    We can tell that RUNE is a pretty standard ERC-20 token. It should be noted that apart from the ERC-20 interface, THORChain (RUNE) offers an additional interface:

    According to transferTo (as shown in the picture above), THORChain (RUNE) uses tx.origin, which is one of the causes behind its security risks. Here, we should explain the difference between tx.origin and msg.sender:

    The below picture describes what happens when a regular address calls the smart contract:

    In such cases, msg.sender = account.address, and tx.origin = account.address, which means that msg.sender is just the same as tx.origin.

    The following is what happens when an account calls contract A, and contract A calls contract B:

    When contract A calls contract B (as shown above), we can tell that msg.sender equals tx.origin in contract A.

    However, in contract B, msg.sender = contractA.address, while tx.origin = account.address. Therefore, tx.origin is like a global variable that traverses the entire call stack and returns the address of the account that originally sent the transaction. This is the key issue: to date, almost all known attacks against THORChain (RUNE) relate to tx.origin.

    Let’s now find out how attackers steal users’ RUNE tokens through tx.origin:

    Attack No.1: Pilfer a Goat from a Herd

    Addresses on Ethereum are divided into external addresses and contract addresses. Transferring ETH to these two types of addresses through external addresses is fundamentally different. The Official Documentation of solidity states that a contract address must implement a receive Ether function before making transfers.

    In light of the features of tx.origin, hackers may build an Attack contract:

    When the Attack contract receives an ETH transfer from a user, it will “pilfer a goat from a herd” — the contract will steal the user’s RUNE tokens in the process.

    Attack No.2: Internal Attack

    An Internal Attack is a special type of attack. When trying to steal a user’s RUNE through an Internal Attack, the hacker needs to have a medium token. Moreover, the token must also call third-party contracts. According to the transfer records of RUNE on Ethereum, some attackers hacked RUNE through AMP Token transfers.

    AMP Token uses the ERC-1820 standard to manage Hook registration and examine whether Hook is registered upon each transfer. If Hook has been registered, then the Hook will be called.

    The contract code of AMP Token shows that the final implementation of the transfer is: _transferByPartition. Meanwhile, there are two calls involving transferHook: _callPreTransferHooks (before the transfer) and _callPostTransferHooks (after the transfer). In particular, _callPreTransferHooks is for the from address, while _callPostTransferHooks is for the to address (i.e. the receiving address).

    For regular users, stealing tokens from themselves is pointless. Therefore, attackers may exploit _callPostTransferHooks. Let’s now check out the codes of _callPostTransferHooks.

    IAmpTokensRecipient(recipientImplementation).tokensReceived()

    We can tell that the only callback that attackers could exploit is IAmpTokensRecipient(recipientImplementation).tokensReceived()

    Next, we will illustrate how this call can be used to transfer a user’s RUNE while making an AMP Token transfer.

    Step 1: A call contract is needed (as shown below):

    Step 2: Deploy the contract to obtain the Attack Address.

    Step 3: Call the ERC-1820 contract interface (setInterfaceImplementer) to register the interface.

    ERC-1820 Address: 0x1820a4B7618BdE71Dce8cdc73aAB6C95905faD24

    Contract interface: setInterfaceImplementer(address toAddr, bytes32 interfaceHash, address implementer)

    In particular, toAddr is the receiving address of the AMP transfer,

    interfaceHash为AmpTokensRecipient的hash:

    0xfa352d6368bbc643bcf9d528ffaba5dd3e826137bc42f935045c6c227bd4c72a

    interfaceHash is the hash of AmpTokensRecipient:

    0xfa352d6368bbc643bcf9d528ffaba5dd3e826137bc42f935045c6c227bd4c72a

    Implementer is the Attack Address obtained in Step 2.

    Step 4: Lure a user to transfer AMP to the toAddr to trigger a callback, and steal his RUNE at the same time.

    Attack No.3: Phishing Attack

    As its name suggests, in a phishing attack, the attacker promises to give away incredible benefits to lure users into performing certain contract operations. Here, we will introduce a common phishing attack.

    Step 1: The attacker issues an ERC-20 token, and may write it into any contract interface that involves signatures.

    Step 2: Create a trading pair on Uniswap or any other swap;

    Step 3: Offer airdrops to all users/addresses who hold RUNE tokens;

    The initial work of the phishing attack is basically completed through the above these steps. Next, the attacker only has to wait for users to trade on a swap, and users risk losing their RUNE once they perform operations such as approve, transfer, etc.

    In addition, in order to further verify the security risk of THORChain contract code, CoinEx has discussed with the security team from SlowMist and PeckShield, two well-known security agencies in the industry. Confirmed by SlowMist and PeckShield, the security risk mentioned above does exist.

    So far, we have covered several types of attacks, as well as the security risks that users are exposed to.

    How should the project team optimize the contract code to make itself more secure and protect users’ assets?

    The only answer is to be cautious about using tx.origin.

    How can regular users mitigate risks and protect their assets in the face of attacks that seem unavoidable? The CoinEx security team offers the following suggestions:

    1. For Attack No.1: When making a transfer, keep track of the estimated Gas consumption. For a regular ETH transfer, a Gas fee of 21,000 is more than enough. Be careful if the Gas consumption far exceeds that figure.
    2. For Attack No.2: Isolate your tokens by adopting different wallets. You can store different tokens in different addresses. Extra caution is needed when it comes to the hot wallet address offered by exchanges.
    3. For Attack No.3: Greed is the source of all evil. Do not blindly participate in any airdrop event.

    Security has always been a top concern in the blockchain sector. All players, including project teams and exchanges, should prioritize security during project operation, keep users’ assets safe and secure, and jointly promote the sound growth of the blockchain industry.

    [ad_2]

    Source link

  • Security PSA: Mining Pool Scams Targeting Self-Custody Wallets | by Coinbase | Mar, 2022

    Security PSA: Mining Pool Scams Targeting Self-Custody Wallets | by Coinbase | Mar, 2022

    [ad_1]

    By Coinbase Security Team

    Coinbase

    As part of our mission to build a more fair, accessible, efficient, and transparent financial system enabled by crypto, we actively monitor for security threats not only to Coinbase but to the crypto ecosystem as a whole. As we have discussed in our previous blog posts on industry-wide crypto security threats and airdrop phishing campaigns, malicious activity against any crypto user or business is bad for the industry. That’s why it’s important to have a community mindset when we see security threats in the wild. As they say, rising tides lift all boats.

    Recently, our security teams have uncovered ongoing mining pool scams targeting users of self-custody wallets. These scams have primarily leveraged malicious smart contracts on the Ethereum network. Based on blockchain research into known scammer wallets, Coinbase estimates these have resulted in the theft of over $50 million in crypto assets from a variety of non-custodial wallet applications. These scams target those using any decentralized wallet browser (e.g. Coinbase Wallet, Metamask, Trust, etc).

    The scam typically follows this chain of events:

    • Victims are contacted via social media and/or other messaging services by scammers claiming to offer an attractive crypto investment opportunity to stake USDT (Tether) in their wallet for a guaranteed return
    • Victims are directed to visit a fraudulent website that can only be accessed via a crypto wallet browser or extension. These websites generally contain fake reviews, endorsements, live-feed payouts, and partner lists to add an appearance of authenticity
    • Scam sites will often fraudulently claim to be sponsored by or partnering with recognizable crypto brands such as Coinbase, Binance, and MetaMask
    • Example mining pool landing page

    Source: Scam Site

    • Clicking the ‘Receive’ button displays a pop up similar to this

    Source: Scam Site

    • Clicking this ‘Receive’ button will then display a fake pop-up designed to impersonate the Coinbase Wallet interface. The permissions that are displayed are not the true permissions that are actually being requested and are intentionally displayed in a way to attempt to trick users into clicking ‘Connect’

    Source: Scam Site

    • Viewing the smart contract via a trusted token approval checker shows the true permissions being requested. The scammer gains delegated transaction approval status with an unlimited transaction allowance within the victim wallet, meaning the scammer can approve USDT sends of any amount on behalf of this wallet.

    Source: etherscan.io

    • Attackers will remove USDT from the victim’s wallet and the scam site will show that their balance is increasing. Scammers will frequently reassure victims that if they add more funds, they will get more USDT in returns by mining.
    • At the end of the period, the funds are not returned to the victim and no profits will be received.
    • If the victim contacts customer support via the fraudulent website, the attacker may indicate they detected irregular activity on the account and that in order to fix that issue, the victim would need to pay additional USDT to ‘release’ the funds. However, no funds are ever returned regardless of whether or not the victim makes payment.

    The following security steps can be taken to defend your assets:

    • Be wary of investments that claim a guaranteed return
    • Be wary of investment advice and opportunities from unknown or untrusted sources
    • Do not visit or connect self-custody wallets to any unknown site
    • Do not hold high value assets in the same wallet used to regularly interact with dapps. Use cold storage or custodial solutions such as the freely available Coinbase Vault.
    • Use a token approval checker to validate actual permissioning on self-custody wallets and revoke approvals that you did not knowingly authorize.

    Coinbase is working with industry partners to take down these sites and developing ways to warn users when visiting known scam sites in order to help limit the damage caused by this type of scam.

    [ad_2]

    Source link

  • WEFUZZ, a fully decentralized, crowdsourced security audit and bug bounty solution | by Coinbase | Feb, 2022

    WEFUZZ, a fully decentralized, crowdsourced security audit and bug bounty solution | by Coinbase | Feb, 2022

    [ad_1]

    Coinbase

    This report updates on what WEFUZZ, Coinbase Crypto Community Fund grant recipient, has been working on over the first part of their year-long Crypto development grant. This specifically covers their work on a decentralized, crowdsourced security audit and bug bounty solution.

    By WEFUZZ, Coinbase Crypto Community Fund grant recipient

    WEFUZZ implements a fully decentralized, crowdsourced security audit and bug bounty solution: a set of smart contracts that allow developers and companies to get their smart contracts, blockchains, websites, etc., audited by the auditors and hackers community. With this work, WEFUZZ aims to become the *Hacker DAO*.

    Crowdsourcing is a sourcing model in which individuals or organizations obtain goods or services — including ideas, voting, micro-tasks etc., from a large, relatively open, and rapidly evolving group of participants. Companies like Uber, Gitcoin and GoJek already use this model. Crowdsourcing model offers improved costs, speed, quality, flexibility, scalability, and diversity.

    The traditional crowdsourcing system consists mainly of three roles: requesters, workers (auditors in our case), and a centralized system. Requesters submit tasks to be completed through the crowdsourcing system. A set of auditors complete this task and submit solutions to the crowdsourcing system. Requesters will then select a proper solution (usually the first or the best one that solves the task) and reward the corresponding worker

    This makes centralized systems vulnerable. User’s sensitive information (e.g. name, email address etc.,) and vulnerability reports are saved in the database of these centralized systems, which has the inherent risk of privacy disclosure and data loss. Centralized choke points are not only attack vectors for leaks and hacks, but also for outages.

    Crowdsourcing companies are keen on maximizing their benefits and require requesters paying for services, which in turn increase user’s costs. Most crowdsourcing systems demand a 10–25% service fee.

    All these issues add up to the already existing concerns of smart contract and multi-chains owners and developers (the audit requesters), freelance auditors’ and ethical hackers’ concerns. Some of these concerns are:

    • Ensuring their assets are safe from cyber theft, data hacks or any other risk that can result in a loss of funds and compromised data
    • Being able to get audits done in a cost-effective way — be it private or public security audits
    • Making sure the smart contracts are audited by multiple auditors
    • Hackers do not want to share sensitive personal data
    • Hackers and auditors and developers need complete transparency

    WEFUZZ is a fully decentralized, crowdsourced audit and bug bounty platform aiming to be the Hacker DAO. WEFUZZ aims to provide reliability, fairness, security and low service fees by design.

    The decentralized platform has many advantages such as higher user security, service availability, and lower costs. Smart contracts running on a chosen blockchain are used to perform the whole process of crowdsourcing tasks which contains posting audit and bounty campaigns, submitting audit and bug reports, bounty assignment, etc.

    WEFUZZ solution offers numerous added benefits to users:

    • Data Security: Reports are encrypted with auditors’ and target developers’ public key, so that the bug reports only gets read by who it is intended for. Files are encrypted and stored on the decentralized network storage. No more data breaches, hacks, password leaks or any other risk affecting existing cloud based audit and bug bounty platforms.
    • Cost Effectiveness: Allowing smart contract developers, multi-chain developers, and companies to get audits performed in a cost-effective way directly by the auditors and hacker crowd on the WEFUZZ platform. This helps the developers and companies avoid huge fees and congestion issues affecting the traditional bug bounty platforms.
    • Flexible anonymity: Auditors and hackers can choose to remain anonymous while submitting reports, protecting their privacy, and still getting paid.
    • Communication Security: No centralized data storage, complete anonymity, no data transfers, no moderators and complete end-to-end encryption. All the data resides encrypted on the Solana blockchain and all the files reside on the IPFS blockchain.

    Audit Requestors: Developers, companies or any individual can request audits or start a private/public bug bounty campaign.

    Auditors: Auditors can be anyone from ethical hackers to audit firms who can perform the requested audits or participate in bug bounty campaigns.

    Judges: Judges are community members who are either elected by the community or have been raised to the Judge category through reputation.

    Currently, we are working on the conceptualization, technical architecture, and system design of WEFUZZ, besides building our MVP on Solana and Polygon blockchains, and testing the optimal chain for our project.

    Please join our Discord and follow us on our Twitter and Medium to keep track of the progress. We are going to release the code and other tools we build as part of the research and development in this Github account.



    [ad_2]

    Source link

  • Coinbase to acquire leading cryptographic security company, Unbound Security

    Coinbase to acquire leading cryptographic security company, Unbound Security

    [ad_1]

    • Acquisition further underlines Coinbase’s commitment to providing the safest, most secure and most trusted venue for anyone to interact with the cryptoeconomy
    • Unbound’s best-in-class multi-party-computation expertise will play a foundational role in Coinbase’s product and security roadmap
    • With the acquisition of Unbound Security, Coinbase will establish a tech center of excellence in Israel, one of the world’s most advanced technology hubs

    From its earliest days, Coinbase has focused on protecting our customer’s assets with the strongest, most sophisticated security technology in the world. Over time, our approaches have evolved, but our objective has always been the same: to provide the safest, most secure and most trusted venue for anyone to interact with the cryptoeconomy.

    Today, we’re announcing the next phase of our security journey with the acquisition of Unbound Security. Based in Israel, it is a pioneer in a number of cryptographic security technologies, including the emerging field of secure multi-party computation (MPC), a highly advanced technology for which Unbound Security’s co-founder, Yehuda Lindell, is a world leader. With this acquisition, Coinbase not only gains access to some of the world’s most sophisticated cryptographic security experts, including Unbound Security co-founder and current Vice President of Research and Development, Guy Peer, who brings more than 20 years of experience in cryptographic security, but also a presence in Israel, a well-established and rapidly growing technology hub. This presence in Israel will add an additional powerful prong to Coinbase’s global talent acquisition strategy, following on closely to recent thrusts into engineering talent bases such as India, Singapore and Brazil.

    Crypto can’t grow without strong cryptography and strong security, but it also needs to be user friendly. Secure multi-party computation is an application of advanced mathematics to enable crypto assets to be stored, transferred and deployed more securely, easily and flexibly than ever before.

    The cryptoeconomy is growing exponentially with myriad new use cases such as staking, DeFi, DAOs and NFTs. Unfortunately so are the threat vectors and complexities for participants to safely manage their crypto private keys. Technologies such as MPC will enable these groundbreaking use cases to come to life safely, securely and in a way that’s user friendly. MPC will deliver on this by protecting our customers’ assets with a technique that provides the virtually impenetrable nature of cold, offline storage, with the frictionless convenience of hot, online wallets. Over time MPC capabilities will enable new features across our consumer, institutional and cloud products to participate in the cryptoeconomy.

    In addition to the technological expertise that we will gain through this acquisition, we also plan to establish a tech center of excellence in Israel that will ensure that Coinbase is always at the bleeding edge of security and blockchain technology. We’ve long recognized Israel as a hot bed of strong technology and cryptography talent, and are excited to continue to grow our team with some of the best and brightest minds in these fields. The Unbound Security team will form the nucleus of this new research facility, which we plan to grow over time.

    We’re always proud to welcome top talent to Coinbase and the Unbound Security team represents the very best expertise in its field. We look forward to working with them over time to move the entire state of cryptographic security forward and to continue delivering the highest levels of security to our customers. Please join us in welcoming the team to Coinbase.

    This acquisition is subject to customary closing conditions and is expected to close in the coming months.

    Coinbase to acquire leading cryptographic security company, Unbound Security was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

    [ad_2]

    Source link

  • Security PSA: Airdrop Phishing Campaign

    Security PSA: Airdrop Phishing Campaign

    [ad_1]

    By Coinbase Security Team

    As a part of our mission to build a safe and open financial system, we actively monitor for any security threats not only to Coinbase but to the crypto ecosystem as a whole. As we have discussed in our previous blog post on industry-wide crypto security threats, malicious threats against any crypto user or business are bad for the industry. With this community mindset, we do our best to inform and to defend our community from bad actors.

    Over the past month, Coinbase Threat Intelligence, Special Investigations, and Global Intelligence teams have been tracking an ongoing phishing campaign on Ethereum, Polygon, Binance Smart Chain, and other EVM-compatible platforms which has unfortunately resulted in the theft of more than $15M in various crypto assets to date. The phishing campaign does not affect customers who custody funds on Coinbase.com. However, anyone who uses self-custody wallets (e.g. Coinbase Wallet, Metamask, etc.) may be at risk.

    The campaign works by airdropping fictitious coins into victim wallets and enticing them to visit specially-crafted malicious websites. Below is an example of one such coin:

    Source: Polygonscan

    When users attempt to interact with the airdropped tokens such as transferring them to a Decentralized Exchange (DEX), they are presented with an error message encouraging them to visit a malicious phishing website:

    Source: Polygonscan

    The website presents users with a Decentralized Application (DApp) interface supposedly meant to connect their wallets and approve trading of the airdrop tokens. However, when users approve any transactions on the phishing website, in reality they are unknowingly approving a transfer of their personal tokens to the scammers.

    Source: Phishing Site

    The scammers change airdrop token names and phishing websites frequently to evade blocklists; however, they still use the same tactics to steal tokens using fake airdrops and malicious Dapps. Nevertheless, you can take the following security steps to defend your assets:

    • Be wary of airdrop tokens received from an unknown source. It is highly likely these unsolicited tokens are part of a phishing campaign.
    • Do not visit or connect self-custody wallets to any websites advertised by airdropped tokens through error messages, token names, or other methods.
    • Do not interact with airdropped tokens (e.g. approving, transferring, swapping, etc.). As annoying as it sounds, it’s best to just leave them sitting in your wallet.
    • Do not hold high value assets in the same wallet used to regularly interact with Dapps. Use cold storage or custodial solutions such freely available Coinbase Vault or Custody.

    Coinbase is working with industry partners to help limit the damage caused by the scam and we are planning to publish a more detailed analysis of the campaign in the near future.

    Security PSA: Airdrop Phishing Campaign was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

    [ad_2]

    Source link

  • Top ten smart contract security risks

    Top ten smart contract security risks

    [ad_1]

    By the Blockchain Security Team at Coinbase

    Securing smart contracts from risks remains hard. Unaddressed security vulnerabilities readily turn into existential threats to your token’s viability. So how can asset issuers prevent smart contract vulnerabilities from leading to real financial losses on token networks?

    Keep users’ tokens and token networks safe from attackers by teaching developers to write smart contracts and design robust testing based on this list of ERC-20 implementation risks.

    In Introducing Solidify, we shared how the Coinbase blockchain security team performs smart contract vulnerability review at scale. A meta analysis across a few hundred token Solidify security reports resulted in a list of most frequent and severe risks based on potential impact to token network security.

    The top ten Smart Contract Risks (SCR) fall into three categories:

    1. Operational Risks — Authorization features that are exploited when token network governance is insufficient or flawed
    2. Implementation Risks — Intrinsic errors that result in unintended smart contract behavior
    3. Design Risks — Accepted system features that are exploited to alter intended smart contract behavior

    OPERATIONAL RISKS

    SCR-1: Super User Account or Privilege Management

    The smart contract implements functions that allow a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

    SCR-2: Blacklisting and Burning Functions

    The smart contract implements functions that allow a privileged role to prohibit a specific address from exercising an essential functionality.

    SCR-3: Contract Logic or Asset Configuration can be arbitrarily changed

    The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

    SCR-4: Self-Destruct Functions

    The smart contract implements a function that allows a privileged role to remove the token contract from the blockchain and destroy all tokens created by the contract.

    SCR-5: Minting Functions

    The smart contract implements a function that allows a privileged role to increase a token’s circulating supply and/or the balance of an arbitrary account.

    IMPLEMENTATION RISKS

    SCR-6: Rolling Your Own Crypto and Unique Contract Logic

    The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

    SCR-7: Unauthorized Transfers

    The smart contract contains functions that circumvent standard authorization patterns for sending tokens from an account.

    SCR-8: Incorrect Signature Implementation or Arithmetic

    The smart contract contains operations that can result in unexpected contract states or account balances.

    DESIGN RISKS

    SCR-9: Untrusted Control Flow

    The smart contract invokes functions on different smart contracts in order to trigger functionality not defined within the contract itself.

    SCR-10: Transaction Order Dependence

    The smart contract allows asynchronous transaction processing that can be exploited for profit or protocol correctness through mempool transaction reordering.

    For Coinbase customer funds’ safety, the Coinbase blockchain security team assesses all tokens being considered for listing for proper risk mitigations according to the above vulnerabilities. If you’re looking to get a token listed on Coinbase, we encourage you to check your token’s security by reviewing and testing for the aforementioned risks.

    Future posts will help you review your token’s security by examining the top Smart Contract Risks in detail and will also provide countermeasure recommendations.

    If you are interested in listing your token with Coinbase, visit the Coinbase Asset Hub. If you are interested in securing the future of finance, Coinbase is hiring.

    Top ten smart contract security risks was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

    [ad_2]

    Source link