Last year saw a historic rise in cryptocurrency hacks, with cybercriminals stealing over $3 billion. According to a discovery from the cybersecurity firm Halborn, 2023 could have been even more disastrous, with the company finding massive vulnerabilities in top blockchains such as Dogecoin, Litecoin, and Zcash—putting about $25 billion of assets at risk.
Halborn has worked with the affected parties to fix the issues, with developers at Zcash and Dogecoin releasing new updates to mitigate the risks, although developers warned that vulnerabilities still exist until blockchain operators implement the patches, as well as on the other networks.
Researchers at Halborn first found the critical gaps after being contracted by Dogecoin—a popular "memecoin" blockchain with the ninth-largest cryptocurrency by market cap—in March 2022. Dogecoin tasked Halborn with evaluating its open-source codebase to test for unknown exploits, or "zero-day vulnerabilities," in its code that could target funds held by the blockchain's miners. The engineer found multiple critical issues and reported them to Dogecoin's lead developers, who confirmed the issues and worked on patches incorporated in July.
After further research, Halborn engineers found variants of the exploits in other popular blockchains, including Litecoin and Zcash. They were based on UTXO, or unspent transaction output, a protocol for distributing cryptocurrency data used by Dogecoin, Litecoin, Zcash, and other blockchains. As the researchers detailed, the most critical vulnerability affected peer-to-peer communications, allowing attackers to craft malicious consensus messages to nodes and cause them to shut down, exposing the network to attacks, which could affect over $25 billion of assets. In total, Halborn identified over 280 vulnerable blockchains.
Halborn worked with the projects at risk to provide details on how to fix the vulnerabilities, which it disclosed to them privately on Feb. 14. Although Dogecoin's code base was patched last summer, other projects have only implemented changes after learning about the vulnerabilities from Halborn. Electronic Coin Company, the developer of the privacy-focused blockchain Zcash, initiated its security process after the disclosure, coordinating with an independent Zcash community-funded security team called ZecSec to create patches.
A representative from Zcash said there's no evidence that the discovered vulnerabilities led to any exploits on the network, adding that the bugs don't compromise user privacy. According to the representative, the updates will be available to users on Monday, adding that it delayed the release to allow other projects to complete their own patches.
Despite many of the larger blockchains implementing fixes, Steve Walbroehl, the chief security officer and cofounder of Halborn, said that because the networks are decentralized, they require action from the owners of the miners and nodes to patch their own code base. Although developers have released upgraded versions to address the risks, owners still need to update their code. Walbroehl also warned that other projects have yet to implement the patches.
Patrick Lodder, a core developer for Dogecoin, said that the network has released patches to address the vulnerabilities, warning that anyone who hasn't updated to the most recent version could be susceptible to denial-of-service vulnerabilities.
"Disclosures bring awareness, which helps everyone become secured," Walbroehl told Fortune.
