Massive vulnerabilities revealed in Dogecoin, Litecoin, Zcash
2022 was a historic year for crypto hacks. Photo illustration by Josue Evilla – Fortune; original photos by Getty Images
Last year saw a historic rise in cryptocurrency hacking, with cybercriminals stealing over $3 billion. According to a discovery by cybersecurity firm Halborn, 2023 could have been even more disastrous, with the company finding huge vulnerabilities in top blockchains like Dogecoin, Litecoin and Zcash – putting around $25 billion in assets at risk.
Halborn has been working with the affected parties to fix the issues, with developers at Zcash and Dogecoin releasing new updates to mitigate the risk, although developers warned that vulnerabilities still exist.
Researchers at Halborn first discovered the critical holes after being contracted by Dogecoin—a popular “memecoin” blockchain with the ninth-largest cryptocurrency by market capitalization—in March 2022. Dogecoin tasked Halborn with evaluating its open-source codebase to test for unknown exploits, or “zero-day vulnerabilities,” in its code that could target funds held by the blockchain’s miners. The engineer found several critical issues and reported them to Dogecoin’s lead developers, who confirmed the issues and worked on patches that were incorporated in July.
After further research, Halborn engineers found variations of the exploits in other popular blockchains, including Litecoin and Zcash. They were based on UTXO, or unused transaction output, a cryptocurrency data distribution protocol used by Dogecoin, Litecoin, Zcash and other blockchains. As the researchers described, the most critical vulnerability affected peer-to-peer communication, allowing attackers to craft malicious consensus messages to nodes and cause them to shut down, exposing the network to attacks that could affect over $25 billion in assets. In total, Halborn identified over 280 vulnerable blockchains.
Halborn worked with the projects at risk to provide details on how to fix the vulnerabilities, which it disclosed to them privately on February 14. Although Dogecoin’s codebase was updated last summer, other projects have only implemented changes after learning about the vulnerabilities from Halborn. Electronic Coin Company, the developer of the privacy-focused blockchain Zcash, started its security process after the disclosure, coordinating with an independent Zcash community-funded security team called ZecSec to create patches.
A Zcash representative said there is no evidence that the discovered vulnerabilities led to any exploits on the network, adding that the flaws do not compromise users’ privacy. According to the representative, the updates will be available to users on Monday, adding that it delayed the release to allow other projects to complete their own patches.
Although many of the larger blockchains are implementing fixes, Steve Walbroehl, chief security officer and co-founder of Halborn, said that because the networks are decentralized, they require action from the owners of the miners and nodes to patch their own code base. Although developers have released upgraded versions to address the risk, owners still need to update their code. Walbroehl also cautioned that other projects have yet to implement the updates.
Patrick Lodder, a core developer for Dogecoin, said the network has released updates to address the vulnerabilities, warning that anyone who hasn’t updated to the latest version could be vulnerable to denial-of-service vulnerabilities.
“Disclosures bring awareness, which helps keep everyone safe,” Walbroehl said Fortune.
