On February 6, 2022, Beijing time, the Meter Passport cross-chain bridge project was maliciously used, causing a loss of US$4.2 million. The original tweet issued by the project party:
This follows yesterday's CertiK releaseAnalysis of the attack event of the Solana cross-chain bridge wormhole projectsecondary title
exploit transaction
False deposit:
https://bscscan.com/tx/0x63f37aff7e40b85b0a6b3fd414389f6011cc09b276dc8e13b6afa19061f7ed8e
https://etherscan.io/tx/0x2d3987963b77159cfe4f820532d729b0364c7f05511f23547765c75b110b629c
https://bscscan.com/tx/0xc7eb98e00d21ec2025fd97b8a84af141325531c0b54aacc37633514f2fd8ffdc
https://etherscan.io/tx/0xdfea6413c7eb3068093dcbbe65bcc9ba635e227c35e57fe482bb5923c89e31f7
https://bscscan.com/tx/0x5d7cd17bfeb944390667c76f4fc2786f748dc3eb363c01c24b92becaaf5690b4
hacker
https://bscscan.com/tx/0xf70b4aa715c0a04079c56cd9036cc63cdb6101e400520a8f2c019ad2ced5358e
https://moonriver.moonscan.io/tx/0x689ff22ebf7f7aa6ecf0d60345979855442a09dfb7439c8553b2369e6e130409
https://etherscan.io/tx/0xd619ace8a8cca2f7eb72dbc0a896fc2d4d8b20aa11f4d747f1a5333305bbb875
https://moonriver.moonscan.io/tx/0xc7f764644e9af42714d98763b7e8dcf5e1de6b855b63e2c6ff2438e09b61ccc7
hacker
Transfer records on the hacker chain:
https://debank.com/profile/0x8d3d13cac607b7297ff61a5e1e71072758af4d01/history
Contract address
Contract address
Bridge
Ethereum: https://etherscan.io/address/0xa2a22b46b8df38cd7c55e6bf32ea5a32637cf2b1
attack process
Moonriver (moonbream):https://moonriver.moonscan.io/address/0xf41e7fc4ec990298d36f667b93951c9dba65224e
ERC20Handler
Ethereum:https://etherscan.io/address/0xde4fc7c3c5e7be3f16506fcc790a8d93f8ca0b40
BSC:https://bscscan.com/address/0x5945241bbb68b4454bb67bd2b069e74c09ac3d51
attack process
Step 1: The attacker calls the `Bridge.deposit()` function to deposit 0.008BNB into the contract Bridge connected to multiple chains, including Binance Smart Chain, Ethereum, and Moonriver (twice).
In the function call `Bridge.deposit(), the attacker injects the following malicious data:
Step 2: `Bridge.deposit()` calls the `ERC20Handler.deposit()` function, and the input content is as follows:
Step 3: Since the input resourceID is"0x000000000000bb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c01", the token address will be `0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c`, which is the same as `_wtokenAddress`.
Step 4: In this case, once the instruction is passed, the attacker can obtain it without actually transferring any tokens to the contract.
Step Five: Therefore, the attacker can mint on other chains"data"Contract Vulnerability Analysis
Contract Vulnerability Analysis
Generally, deposit() is used for depositing ERC20 tokens, and depositETH() is used for depositing WETH/WBNB tokens. The Bridge contract provides two methods: deposit() and depositETH().
Hacker address:
asset tracking
Hacker address:
https://debank.com/profile/0x8d3d13cac607b7297ff61a5e1e71072758af4d01/history
Summarize
Summarize
This incident is very similar to the Qubit incident that happened not long ago. The occurrence of a hacking incident often makes more people with ulterior motives pay attention to whether similar vulnerabilities can be exploited in similar projects.
Therefore, the technical team of the project party should pay attention to the security incidents that have occurred in a timely manner, and check whether there are similar problems in their own projects.
As a leader in blockchain security, CertiK is committed to improving the security and transparency of cryptocurrencies and DeFi. So far, CertiK has been recognized by 2,500 corporate customers, protecting more than $311 billion in digital assets from loss.
As a leader in blockchain security, CertiK is committed to improving the security and transparency of cryptocurrencies and DeFi. So far, CertiK has been recognized by 2,500 corporate customers, protecting more than $311 billion in digital assets from loss.
IOS
Android