2022 was a historic year for cryptocurrency hacking. Photo illustration by Josue Evilla – Fortune.Original photo by Getty Images
Cryptocurrency hacks hit a historic high last year, with cybercriminals stealing over $3 billion. 2023 could have been an even more disastrous year, with the discovery of massive vulnerabilities in major blockchains such as Dogecoin, Litecoin and Zcash, wiping out nearly $25 billion in assets, according to findings by cybersecurity firm Halborn. may have been at risk.
Halborn worked with affected parties to patch the issue, and Zcash and Dogecoin developers released new updates to mitigate the risk, but the developers warned that the vulnerability still exists. bottom.
Researchers at Halborn first spotted a significant gap after signing Dogecoin, the popular ‘memecoin’ blockchain with the ninth-largest cryptocurrency by market cap, in March 2022. A “zero-day vulnerability” in code that could target funds held by blockchain miners. The engineer found several serious issues, which he reported to Dogecoin’s lead developer. A developer confirmed the issue and worked on a patch that was incorporated in July.
Upon further investigation, Halborn engineers discovered variants of the exploit on other popular blockchains, including Litecoin and Zcash. They were based on He UTXO, or Unspent Transaction Output, a protocol for distributing cryptocurrency data used in Dogecoin, Litecoin, Zcash, and other blockchains. As detailed by the researchers, the most critical vulnerabilities affect peer-to-peer communications, allowing attackers to craft malicious consensus messages to nodes to force them to shut down, exposing the network to attacks and potentially causing 25 billion It can affect assets above the dollar. In total, Halborn has identified over 280 vulnerable blockchains.
Halborn worked with the at-risk project to provide details on how to fix the vulnerability and made it privately available on February 14th. Dogecoin’s codebase was patched last summer, while other projects implemented changes only after learning about the vulnerability from his Halborn. Electronic Coin Company, developer of the privacy-focused blockchain Zcash, began a security process after going public, working with his independent Zcash community-funded security team called ZecSec to create the patch.
A Zcash representative said there was no evidence that the discovered vulnerability led to exploitation on the network, adding that the bug does not compromise user privacy. The update was made available to users on Monday, officials said, adding that the release was delayed to allow other projects to finalize their own patches.
Halborn chief security officer and co-founder Steve Walbroehl said that despite many of the larger blockchains implementing the fix, the decentralization of the network meant that miners and nodes The owner states that they need to patch their own code base. The developer has released an upgraded version to address the risk, but the owner should update their code. Walbroehl also warns that other projects have not yet implemented the patch.
Dogecoin core developer Patrick Lodder said the network has released a patch to address the vulnerability, and anyone who has not updated to the latest version could be affected by the denial of service vulnerability. warned that there is
“Disclosure brings awareness and helps everyone be safe,” Walbroehl said. luck.