ZenGo discovers Web3’s “red pill attack’ vulnerability

According to a blog post released by the creators of the cryptocurrency wallet ZenGo, the company discovered security flaws in the transaction simulation techniques used by prominent decentralized apps (dApps).

This vulnerability dubbed the “red pill attack,” enabled hostile dApps to steal user assets based on opaque transaction approvals presented to and accepted by users. The name of the vulnerability is derived from The Matrix’s famous “red pill” sequence.

“If malware is able to detect its actually being executed in a simulated environment or living in the matrix, it can behave in a benign manner, thus deceiving the anti-malware solution, and reveal its true malicious nature only when actually executed in a real environment.”

According to ZenGo, their investigation found that numerous prominent suppliers, like Coinbase Wallet, were formerly susceptible to similar assaults.

“All suppliers were quite attentive to our complaints,” ZenGo added, “and the majority of them were fast to modify their flawed implementations.”

A programming error in “Special Variables” among smart contracts containing broad information about the blockchain’s operation, such as the current block’s timestamp, makes the vulnerability conceivable.

During simulations, ZenGo asserts that there is no right value for special variables and that developers “shortcut” by setting them to arbitrary values.

“For example, the “COINBASE” instruction contains the address of the current block miner. Since during simulation there is no real block and hence no miner, some simulation implementations just set it to the null address (all zeros address).”

ZenGo developers presented in a video how a Polygon (MATIC) smart contract simulation that requests users to pay native currency in exchange for another might be hacked using this method:

“When the user actually sends the transaction on-chain, COINBASE [Wallet] is actually filled with the non-zero address of the current miner and the contract just takes the sent coins.”

Instead of loading these sensitive variables with random values, simulations must provide them with significant values, according to ZenGo.

The company provided redacted images of bug bounties given by Coinbase for the resolution of the problem. In addition, the Ethereum Foundation has granted ZenGo a grant of $50,000 for their research on transaction simulations.