According to a blog post published by the developer of crypto wallet ZenGo, the company said it discovered a security flaw in a transaction simulation solution used by popular decentralized applications, or dApps. Dubbed a "red pill attack," the vulnerability allows malicious dApps to steal user assets based on opaque transaction approvals that are presented to and approved by users. The bug gets its name from the iconic "red pill" scene in the Matrix movie series.
"If malware can detect that it's actually executing in a simulated environment or living in the Matrix, it can behave in a benign way that tricks anti-malware solutions, only revealing it when actually executing in a real environment. A truly hostile environment."
ZenGo claims its research shows that many leading providers, including Coinbase Wallet, were at one time vulnerable to such attacks. "All vendors were very receptive to our reports," ZenGo said, "and most of them fixed their buggy implementations very quickly."
The vulnerability may be due to a programming oversight in a "special variable" in the smart contract that stores general information about blockchain functionality, such as the timestamp of the current block. However, during the simulation, ZenGo stated that the special variables did not have the correct values, and claimed that the developers "cut corners" and set them to arbitrary values.
"For example, the "COINBASE" instruction contains the address of the miner for the current block. Since there is no real block during the simulation, and thus no miner, some simulation implementations just set it to an empty address (address of all zeros)."
In a video, ZenGo developers demonstrate how a smart contract simulation on Polygon (MATIC) requiring users to send their native token in exchange for another token could be compromised by this method: "When a user actually sends a transaction on-chain, the COINBASE [Wallet] is actually filled with the non-zero address of the current miner, and the contract only receives the coins sent."
ZenGo said the bug's fix was straightforward: "Simulation needs to populate these vulnerable variables with meaningful values, rather than filling them with arbitrary values." The company showed edited screenshots of the bug bounty, apparently by Granted by Coinbase to address this issue. The Ethereum Foundation also awarded ZenGo a $50,000 grant for its research in transaction simulation.
