狗狗币、莱特币和Zcash等曝出严重漏洞,开发者警告更多风险
2022年,加密货币领域的黑客攻击大幅增多,创历史纪录,被网络犯罪分子盗窃的加密货币价值超过30亿美元。网络安全公司Halborn发现,2023年可能是该领域更灾难性的一年。该公司在狗狗币(Dogecoin)、莱特币(Litecoin)和Zcash等知名区块链中发现了严重漏洞,约有250亿美元的资产面临风险。
Halborn与受到影响的各方展开合作以解决这些漏洞。Zcash和狗狗币的开发者都发布了可以减少风险的更新,但开发者警告,漏洞依旧存在,除非区块链的经营者进行修复,并且在其他网络上同样存在漏洞。
Halborn的研究人员在2022年3月收到狗狗币的委托后,首先发现了这些关键漏洞。狗狗币是一款热门“网红币”区块链,加密货币的市值排在第九位。狗狗币委托Halborn评价其开源代码库,测试代码中未知的漏洞或“零日漏洞”。这些漏洞可能被用于针对区块链上的挖矿公司的资金。工程师们发现多个关键问题后,将问题报告给狗狗币的主要开发者,后者确认了问题并在7月开发补丁。
经过进一步研究,Halborn的工程师在莱特币和Zcash等热门区块链中发现了这种漏洞的变体。这些漏洞基于未消费的交易输出(UTXO),这是狗狗币、莱特币、Zcash等区块链用于分配加密货币数据的协议。研究人员表示,最关键的漏洞影响到P2P社区,攻击者能够利用该漏洞向节点发送恶意的共识信息,导致节点关闭,使整个网络面临被攻击的风险,可能影响价值超过250亿美元的资产。Halborn共发现了超过280个存在漏洞的区块链。
Halborn与受到影响的项目合作说明了如何修复漏洞,并在2月14日非公开披露相关信息。虽然狗狗币的代码库在2022年夏天进行了修复,但其他项目是在从Halborn获悉漏洞后才开始调整的。注重私密性的区块链Zcash的开发者Electronic Coin Company公司,在信息披露后启动安全程序,与一个由Zcash社区资助的安全团队ZecSec合作开发补丁。
Zcash的代表称,没有证据表明,已经发现的漏洞在网络上被黑客利用,并且漏洞没有损害用户隐私。这位代表还表示,将在3月13日向用户推送更新,之所以推迟发布更新是为了让其他项目可以完成补丁开发工作。
虽然许多大型区块链修复了漏洞,但Halborn的首席安全官及联合创始人史蒂夫·瓦尔布勒尔指出,去中心化网络需要各挖矿公司和节点的所有者采取行动,对各自的代码库进行修复。虽然为了解决风险,开发者发布了更新版本,但依旧需要由各所有者更新各自的代码。瓦尔布勒尔还警告,其他项目尚未执行补丁。
狗狗币的核心开发者帕特里克·洛德称,该网络已经发布了修复漏洞的补丁,但他警告尚未更新至最新版本的用户,容易受到拒绝服务漏洞的影响。
瓦尔布勒尔对《财富》杂志表示:“曝光漏洞能够提高人们的意识,有助于保障所有人的安全。”(财富中文网)
翻译:刘进龙
审校:汪皓
2022年,加密货币领域的黑客攻击大幅增多,创历史纪录,被网络犯罪分子盗窃的加密货币价值超过30亿美元。网络安全公司Halborn发现,2023年可能是该领域更灾难性的一年。该公司在狗狗币(Dogecoin)、莱特币(Litecoin)和Zcash等知名区块链中发现了严重漏洞,约有250亿美元的资产面临风险。
Halborn与受到影响的各方展开合作以解决这些漏洞。Zcash和狗狗币的开发者都发布了可以减少风险的更新,但开发者警告,漏洞依旧存在,除非区块链的经营者进行修复,并且在其他网络上同样存在漏洞。
Halborn的研究人员在2022年3月收到狗狗币的委托后,首先发现了这些关键漏洞。狗狗币是一款热门“网红币”区块链,加密货币的市值排在第九位。狗狗币委托Halborn评价其开源代码库,测试代码中未知的漏洞或“零日漏洞”。这些漏洞可能被用于针对区块链上的挖矿公司的资金。工程师们发现多个关键问题后,将问题报告给狗狗币的主要开发者,后者确认了问题并在7月开发补丁。
经过进一步研究,Halborn的工程师在莱特币和Zcash等热门区块链中发现了这种漏洞的变体。这些漏洞基于未消费的交易输出(UTXO),这是狗狗币、莱特币、Zcash等区块链用于分配加密货币数据的协议。研究人员表示,最关键的漏洞影响到P2P社区,攻击者能够利用该漏洞向节点发送恶意的共识信息,导致节点关闭,使整个网络面临被攻击的风险,可能影响价值超过250亿美元的资产。Halborn共发现了超过280个存在漏洞的区块链。
Halborn与受到影响的项目合作说明了如何修复漏洞,并在2月14日非公开披露相关信息。虽然狗狗币的代码库在2022年夏天进行了修复,但其他项目是在从Halborn获悉漏洞后才开始调整的。注重私密性的区块链Zcash的开发者Electronic Coin Company公司,在信息披露后启动安全程序,与一个由Zcash社区资助的安全团队ZecSec合作开发补丁。
Zcash的代表称,没有证据表明,已经发现的漏洞在网络上被黑客利用,并且漏洞没有损害用户隐私。这位代表还表示,将在3月13日向用户推送更新,之所以推迟发布更新是为了让其他项目可以完成补丁开发工作。
虽然许多大型区块链修复了漏洞,但Halborn的首席安全官及联合创始人史蒂夫·瓦尔布勒尔指出,去中心化网络需要各挖矿公司和节点的所有者采取行动,对各自的代码库进行修复。虽然为了解决风险,开发者发布了更新版本,但依旧需要由各所有者更新各自的代码。瓦尔布勒尔还警告,其他项目尚未执行补丁。
狗狗币的核心开发者帕特里克·洛德称,该网络已经发布了修复漏洞的补丁,但他警告尚未更新至最新版本的用户,容易受到拒绝服务漏洞的影响。
瓦尔布勒尔对《财富》杂志表示:“曝光漏洞能够提高人们的意识,有助于保障所有人的安全。”(财富中文网)
翻译:刘进龙
审校:汪皓
Last year saw a historic rise in cryptocurrency hacks, with cybercriminals stealing over $3 billion. According to a discovery from the cybersecurity firm Halborn, 2023 could have been even more disastrous, with the company finding massive vulnerabilities in top blockchains such as Dogecoin, Litecoin, and Zcash—putting about $25 billion of assets at risk.
Halborn has worked with the affected parties to fix the issues, with developers at Zcash and Dogecoin releasing new updates to mitigate the risks, although developers warned that vulnerabilities still exist until blockchain operators implement the patches, as well as on the other networks.
Researchers at Halborn first found the critical gaps after being contracted by Dogecoin—a popular “memecoin” blockchain with the ninth-largest cryptocurrency by market cap—in March 2022. Dogecoin tasked Halborn with evaluating its open-source code base to test for unknown exploits, or “zero-day vulnerabilities,” in its code that could target funds held by the blockchain’s miners. The engineer found multiple critical issues and reported them to Dogecoin’s lead developers, who confirmed the issues and worked on patches incorporated in July.
After further research, Halborn engineers found variants of the exploits in other popular blockchains, including Litecoin and Zcash. They were based on UTXO, or unspent transaction output, a protocol for distributing cryptocurrency data used by Dogecoin, Litecoin, Zcash, and other blockchains. As the researchers detailed, the most critical vulnerability affected peer-to-peer communications, allowing attackers to craft malicious consensus messages to nodes and cause them to shut down, exposing the network to attacks, which could affect over $25 billion of assets. In total, Halborn identified over 280 vulnerable blockchains.
Halborn worked with the projects at risk to provide details on how to fix the vulnerabilities, which it disclosed to them privately on Feb. 14. Although Dogecoin’s code base was patched last summer, other projects have implemented changes only after learning about the vulnerabilities from Halborn. Electronic Coin Company, the developer of the privacy-focused blockchain Zcash, initiated its security process after the disclosure, coordinating with an independent Zcash community-funded security team called ZecSec to create patches.
A representative from Zcash said there’s no evidence that the discovered vulnerabilities led to any exploits on the network, adding that the bugs don’t compromise user privacy. According to the representative, the updates will be available to users on March 13, adding that it delayed the release to allow other projects to complete their own patches.
Despite many of the larger blockchains implementing fixes, Steve Walbroehl, the chief security officer and cofounder of Halborn, said that because the networks are decentralized, they require action from the owners of the miners and nodes to patch their own code base. Although developers have released upgraded versions to address the risks, owners still need to update their code. Walbroehl also warned that other projects have yet to implement the patches.
Patrick Lodder, a core developer for Dogecoin, said that the network has released patches to address the vulnerabilities, warning that anyone who hasn’t updated to the most recent version could be susceptible to denial-of-service vulnerabilities.
“Disclosures bring awareness, which helps everyone become secured,” Walbroehl told Fortune.
