Resonance Security analysts uncovered a potential vulnerability in the Runes protocol, highlighting concerns of exploitation by bad actors in the crypto space.
The Runes protocol, which operates as a native Bitcoin protocol aiming to streamline the creation of fungible tokens on the Bitcoin network, appears to have a significant red flag in its functionality, opening doors for potential misuse, according to a research report conducted by Resonance Security and seen by crypto.news.
Unlike its counterpart, the Ordinals protocol, which inscribes data to individual satoshis on the chain, Runes focuses on creating interchangeable tokens through the use of the Unspent Transaction Output (UTXO) model.
Despite its promising functionality, the protocol apparently allows the inclusion of URLs in the metadata of Runes tokens, making it possible for potential exploitation by malicious actors, the security experts warn.
“[…] malicious URLs are often involved in phishing attacks, malware infections, and many other cyber violations. So, what’s stopping the bad guys from using this metadata allowance for their own nefarious purposes? Nothing.”
Resonance Security
The experts said that because of blockchain’s unchangeable and clear way of recording data, malicious URL links can stay around forever, making the problem worse.
Illustrating the potential threat, the Resonance Security team outlined a hypothetical scenario where an attacker could embed a malicious URL within a Runes token and initiate an airdrop campaign to distribute the token widely. Unsuspecting users, enticed by promised rewards, could fall victim to phishing sites upon clicking the URL, compromising their sensitive information.
“While the emergence of protocols like Runes brings exciting opportunities for expanding the functionality, development, and ecosystems of Bitcoin, and blockchain technology as a whole, it also underscores the importance of remaining vigilant in the face of potential cybersecurity risks.”
Resonance Security
Although the Resonance Security team didn’t attribute any malicious intent to the creators of the Runes protocol, they highlighted the critical importance of identifying and addressing potential cybersecurity risks in developing blockchain protocols.