Bankless Times
“Red Pill” Vulnerability Detected in Coinbase Wallet, Breach Possible
HomeNews“Red Pill” Vulnerability Detected in Coinbase Wallet, Breach Possible

“Red Pill” Vulnerability Detected in Coinbase Wallet, Breach Possible

Blockchain
Daniela Kirova
Daniela Kirova
March 21st, 2023
Why trust us
Advertiser Disclosure
  • Malicious decentralized applications can steal assets as users approve opaque transactions
  • Vulnerability caused by developer omission, random values assigned to special variables

According to research by the developers of ZenGo, a novel cryptocurrency wallet, Coinbase Wallet and other leading vendors can fall victim to security breaches because of a so-called “red pill” vulnerability in transaction simulation solutions, CoinTelegraph wrote.

Users misled to approve opaque transactions

This vulnerability makes it possible for malicious decentralized applications to steal user assets as users approve opaque transactions. Its name comes from the infamous Matrix "red and blue pill" scene.

ZenGo developers added that all vendors they approached about the issue were very receptive to their reports and most of them remedied their faulty implementations quickly.

Programming oversight caused the vulnerability

The vulnerability was caused by developer omission regarding so-called "Special Variables" in smart contracts that hold general data on the functions of the blockchain, like the current block’s timestamp.

ZenGo found these Variables had no accurate values during simulations, which led them to conclude that developers had taken a “shortcut" and assigned a random value to them. They gave Coinbase as an example:

The "COINBASE" instruction contains the address of the current block miner. Since during simulation there is no real block and hence no miner, some simulation implementations just set it to the null address - all zeros address.

Developers showed how this vulnerability could compromise a smart contract simulation on a given blockchain, which asks users to send native tokens in exchange for other assets.

The respective wallet is filled with the current miner’s non-zero address when the user carries out the transaction on the blockchain. The smart contract just takes the tokens sent.

The solution

ZenGo proposed an easy fix: assigning meaningful rather than random values to the vulnerable variables.

Coinbase gave ZenGo rewards for preventing potential issues, of which the company showed redacted screenshots. They also received a $50,000 grant from the Ethereum Foundation for their research on transaction simulations.

Contributors

Daniela Kirova
Daniela Kirova
Writer
Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.