Security researchers at ZenGo Wallet have found that decentralized crypto apps, including the popular Coinbase wallet, are vulnerable to “red pill attacks.”
This method allows malicious smart contracts to hide their true behavior from security features during transaction simulations, which can result in users unknowingly losing their assets.
The vulnerability was disclosed to Coinbase, which has since fixed the reported security problems and awarded ZenGo Wallet multiple bug bounties for their responsible disclosure.
Web3 smart contracts are programs that automatically execute when a cryptocurrency transaction takes place, allowing developers a wide range of functionality for websites and crypto assets. However, malicious actors also use smart contracts for fraudulent reasons, such as stealing sent crypto or draining a wallet of assets.
To prevent these attacks, dapp developers have introduced simulated transaction solutions to emulate signing a transaction and predict the outcome before the user approves it.
The ZenGo Wallet report highlights that some malicious smart contracts can detect when they are being simulated and demonstrate inauthentic behavior to appear benign or profitable to the target, tricking the web3 emulation security system.
The attack is conducted by filling variables in a smart contract with “safe” data during simulations and then swapping it with “malicious” data during a live transaction, causing a simulation to show a smart contract as safe during simulation but stealing users’ crypto during a live transaction.
ZenGo Wallet found six cryptocurrency wallet dapps vulnerable to exploitation by red pill attacks, including the Coinbase wallet, Rabby wallet, Blowfish, PocketUniverse, Fire Extension, and an unnamed extension that has not yet fixed the problem.
The fix for this attack is to stop using arbitrary values for vulnerable variables, preventing their use as “red pills” in malicious contracts.
