Bitcoin hype is on the rise again. While the Bitcoin blockchain’s original purpose was to be a distributed ledger for peer-to-peer cryptocurrency transactions, it seems the debut of Ordinals back in January of 2023 has spurred interest from blockchain developers all over the world. These developers are looking for ways to increase the functionality of the original Layer 1 chain. Some have decided that building Layer 2s that integrate with Bitcoin, such as the Lightning Network, Rootstock, Stacks, and Liquid Network, are the way to go. Others have looked to utilize Bitcoin’s native features to grow that extra functionality and development directly on the chain. Two of the most popular native Bitcoin protocols right now are Ordinals and Runes.
The Ordinals and Runes protocols were created by the same person, Casey Rodarmor. Although they have the same creator and some development similarities, the protocols have two distinct purposes. Ordinals act to “inscribe” data, like images or videos, to individual satoshis on the chain. They do this through a logical ordering system of satoshis using a process called “Ordinal Theory”. These inscriptions serve as the only form of native NFTs currently available on Bitcoin. The Runes protocol creates the opposite of NFTs. Runes serve to create fungible, meaning interchangeable, tokens on the chain. Runes is in direct competition with the BRC-20 token standard that launched in March of 2023, which utilizes the Ordinals protocol to produce its tokens. Runes aims to make the process of creating fungible tokens on Bitcoin more efficient.
Runes’ competition with BRC-20 and its stark assertion of efficiency is what drew me to research it further. Throughout my research I found something that raised an immediate red flag in my cybersecurity mind. That red flag is what we will focus on today. To understand the issue, you must know how the Runes protocol works. Let me break it down for you.
The Runes protocol operates on the Bitcoin network through an elegant utilization of the Unspent Transaction Output (UTXO) model to establish a secure and decentralized framework for token creation and management. To initiate a new Runes token, users execute an etching transaction, embedding metadata, such as token name and symbol, into the Bitcoin blockchain via an OP_RETURN output. Minting tokens involves creating UTXOs corresponding to the tokens, with the total supply determined by the sum of all minted UTXOs. Token transfers are executed through Bitcoin transactions referencing the UTXOs associated with the tokens, ensuring seamless integration and fungibility with the Bitcoin network. Cenotaphs, resulting from invalid transactions due to rule violations, lead to the burning of the associated tokens. Integral to the protocol are Runestones, embedded messages within Bitcoin transaction outputs, guiding the execution of protocol instructions. Finally, the Runes protocol allows for additional encoded metadata to enhance token functionality and facilitate smoother operation within the network. Such metadata may include URLs, descriptions, or other relevant information.
Did you catch the red flag? I’ll give you a hint, it’s only three letters long. U. R. L. The allowance for URLs in the metadata immediately sent out an alert in my brain. Why? Well, we all know the dangers of clicking on suspicious URLs within emails or texts. Malicious URLs are also known to facilitate malware spread, cross-site attacks, and most of the other browser-based vulnerabilities. Why would a token creator want to include a URL in their token’s metadata anyway? Here’s some reasons I could think of:
- The creator wants to link users to other external content that they have created. some text
- Say they’re an artist and believe that adding the link to their gallery website is a cool way to increase its visibility.
- The creator wants to show off a page explaining the tokenomics details, usage instructions, or token documentation.
- If the token represents a real-world asset, the URL could point to live data, such as sports scores, stock prices, or weather conditions.
- Maybe the creator wants to redirect users to connect with their community through forums, social media, or Discord servers.
- Creators can offer promotional campaigns allowing for special deals, giveaways, or limited-time events through a landing page.
- Finally, redirection to other projects’ websites can highlight the creator’s collaborations with others.
An example Runestone struct capable of inputting a URL into the token’s metadata could look something like this:
Now for the security professional’s point of view. As stated above, malicious URLs are often involved in phishing attacks, malware infections, and many other cyber violations. So, what’s stopping the bad guys from using this metadata allowance for their own nefarious purposes? Nothing. While this metadata functionality feature may not be a technical vulnerability in and of itself, it certainly can be abused for negative consequences. Consider this scenario:
1. Creation of Malicious Token:
- An attacker etches a new Runes token.
- They embed a malicious URL within the etching transaction, obfuscating it as innocuous data.
2. Airdrop Campaign:
- The attacker initiates an airdrop campaign, distributing the token generously to unsuspecting users.
3. User Engagement Prompt:
- Users are prompted to explore the token details, perhaps through a fake X campaign promising incentives or exclusive features.
4. Exploration on Bitcoin Explorer:
- Users navigate to the token's transaction details through a Bitcoin blockchain explorer.
- Within the transaction history, they encounter the OP_RETURN output containing the disguised malicious URL.
5. Phishing Site Encounter:
- Intrigued by the advertised potential rewards, users click the URL.
- They are redirected to a phishing site, meticulously crafted by the attacker.
- Users divulge sensitive information, probably disguised as promotional reward qualification or KYC verifications, falling victim to the attacker's scheme.
*It should also be noted that due to the immutability and transparency of blockchain technology, these malicious URLs would be accessible forever.
This was the scenario that flashed through my mind as I read through the Runes functionality features. Also, I want to make it crystal clear that I am not calling out Casey Rodarmor or the Runes protocol as something that was built to facilitate malicious activities on-chain. The issue I am describing here is not a protocol vulnerability. It is simply a unique execution style of an established attack which involves this brand new protocol. Put another way, it is a valid functionality implementation that could be abused by malevolent individuals. Much like how email is used to facilitate traditional phishing campaigns or how malicious JavaScript can be injected into normal metadata that is then parsed by a frontend. Neither of these are protocol vulnerabilities, but they are abuses of functionality.
While the emergence of protocols like Runes brings exciting opportunities for expanding the functionality, development, and ecosystems of Bitcoin, and blockchain technology as a whole, it also underscores the importance of remaining vigilant in the face of potential cybersecurity risks. For example, the inclusion of URLs in token metadata, while usually innocent, can serve as a gateway for malicious actors to perpetrate phishing attacks, spread malware, and more. When you’re researching or evaluating new protocols, try to take a step back and put yourself in the mindset of someone who may want to use that protocol for nefarious uses. I find it helpful to go through each of the steps that I would take to use that protocol and then try to find loopholes in it that I could use to my advantage. As a security professional, this helps me to not only understand protocols more in depth, but it also allows me to view it how the bad guys would. Developing a “security mindset” like this is a fantastic first step that anyone can take to protect themselves when working with new or established protocols, as with any technological advancement. By staying informed and adopting a proactive cybersecurity mindset, you can better protect yourself against emerging threats and ensure a safer Web3 environment for all.
References
Alger, Leah. “The Bitcoin Runes Protocol Will Debut Soon-Why Care?” NFT Plazas, NFT Plazas, 11 Apr. 2024, nftplazas.com/bitcoin-runes-protocol/.
“History of Blockchain.” ICAEW, The Institute of Chartered Accountants in England and Wales, www.icaew.com/technical/technology/blockchain-and-cryptoassets/blockchain-articles/what-is-blockchain/history#:~:text=Posting%20their%20seminal%20whitepaper%20in,still%20orchestrates%20bitcoin%20transactions%20today. Accessed 7 May 2024.
Jafery, Reza. “Bitcoin Runes Launch at the Halving: Here’s Everything You Need to Know.” Decrypt, Decrypt, 19 Apr. 2024, decrypt.co/221962/bitcoin-runes-launch-at-the-halving-heres-everything-you-need-to-know.
“Ordinal Theory Overview.” Ordinal Theory Handbook, docs.ordinals.com/overview.html. Accessed 7 May 2024.
Vermaak, Werner. “What Is the Runes Protocol? Record High BTC Fees Following Launch.” CoinMarketCap, CoinMarketCap, 1 May 2024, coinmarketcap.com/academy/article/what-is-the-runes-protocol.
“What Are Bitcoin Layer 2 Networks?” Binance Academy, Binance Academy, 2 May 2024, academy.binance.com/en/articles/what-are-bitcoin-layer-2-networks.
“What Are Ordinals? Bitcoin Nfts Explained.” Chainlink, Chainlink Foundation, 30 Nov. 2023, chain.link/education-hub/ordinals-bitcoin-nfts#:~:text=Launched%20on%20Bitcoin%20mainnet%20by%20developer%20Casey,latest%20way%20to%20create%20NFTs%20on%20Bitcoin.
