Cybersecurity firm Halborn conducted a thorough review of the open-source codebase used by Dogecoin and discovered several critical vulnerabilities. These issues could potentially be exploited by hackers to steal funds or disrupt network operations.
However, what was even more alarming is that after conducting a broader review beyond just the Dogecoin codebase, Halborn found that over 280 other cryptocurrency networks were affected with similar vulnerabilities as well such as Litecoin, Dogecoin, and Zcash among others, with risk values to about $25 billion. This highlights a systemic issue within many blockchain protocols where security may not have been given adequate attention during development.
The Halborn firm was founded in 2019 by ethical hacker Steven Walbroehl and growth hacker Rob Behnke, the firm was contracted in March 2022 to evaluate the Dogecoin open-source codebase for any vulnerabilities that could affect the security of the blockchain. Halborn found vulnerabilities that were fixed by the Dogecoin team. However, on a broader review, Halborn established that variants of these zero days are also seen in other networks.
The research was led by Hossam Mohamed, the Senior Offensive Security Engineer, and details that peer-to-peer (p2p) related communications were the most critical vulnerability which could lead to a 51% attack. Attackers can “craft consensus messages and send them to individual nodes and take them offline.” Further, “an attacker can crawl the network peers using getaddr message and attack the unpatched nodes,” Halborn explained.
Other issues were Common Vulnerabilities and Exposures from Bitcoin. Also, Halborn identified another zero-day particularly related to Dogecoin, and Remote code execution vulnerability related to individual miners.
Nonetheless, not all the vulnerabilities are exploitable on all the networks, the reason being the differences in the codebase. Yet, at least one of them may be exploitable on each network. Exploiting a vulnerability on a prone network could lead to denial of service or remote code execution, Halborn mentioned.
According to Halborn, the firm has developed an exploit kit for Rab13s that includes a proof of concept aimed at demonstrating the attacks on different networks. Additionally, the firm confirmed reaching out to the affected networks for responsible disclosure.
The report serves as an urgent call for all crypto projects to prioritize cybersecurity measures in order to protect user assets and ensure the long-term sustainability of their platforms.