At 19:06:46 on June 23, 2022, Beijing time, the CertiK audit team detected multiple malicious attacks on the cross-chain bridge between the Harmony chain and Ethereum.
attack steps
attack steps
Let’s take the first vulnerability transaction of 13100 ETH as an example:
① The owner of the MultiSigWallet contract 0xf845a7ee8477ad1fb446651e548901a2635a915 calls the submitTransaction() function to submit a transaction with the following payload to generate transaction id 21106 in the transaction.
② To confirm the transaction, the caller must be the contract owner.
③In the next attack, the MultiSigWallet of the owner of the MultiSigWallet contract (0x812d8622c6f3c45959439e7ede3c580da06f8f25) calls the function confirmTransaction(), where the input transaction ID is 21106.
④ To execute the transaction successfully, the caller must be the contract owner.
⑤The executeTransaction() function calls an external call with the input data, which will trigger the unlockEth() function on the Ethmanager contract.
⑥ The incoming data of the unlockEth() function specifies the amount, recipient, and payee.
⑦Since the attacker somehow controlled the owner's permissions, the attacker was able to execute a transaction with id 21106, which transferred 13100 ETH to the attacker's address 0x0d043128146654C7683Fbf30ac98D7B2285DeD00.
Whereabouts of assets
Whereabouts of assets
Vulnerability transaction
Vulnerability transaction
• The following transaction attackers stole 13,100 ETH, worth about $14,619,600 (using the current price of ETH: $1116): https://etherscan.io/tx/0x27981c7289c372e601c9475e5b5466310be18ed10b59d1ac840145f6e7804c97 [13 ,100 ETH]
• The following transaction attackers stole 41,200,000 USDC: https://etherscan.io/tx/0x6e5251068aa99613366fd707f3ed99ce1cb7ffdea05b94568e6af4f460cecd65
• The attacker stole 592 WBTC worth about $12,414,832 in the following transaction: https://etherscan.io/tx/0x4b17ab45ce183acb08dc2ac745b2224407b65446f7ebb55c114d4bae34539586
• The following transaction attackers stole 9,981,000 USDT: https://etherscan.io/tx/0x6487952d46b5265f56ec914fcff1a3d45d76f77e2407f840bdf264a5a7459100
• The following transaction attackers stole 6,070,000 DAI: https://etherscan.io/tx/0xb51368d8c2b857c5f7de44c57ff32077881df9ecb60f0450ee1226e1a7b8a0dd
• The following transaction attacker stole 5,530,000 BUSD: https://etherscan.io/tx/0x44256bb81181bcaf7b5662614c7ee5f6c30d14e1c8239f006f84864a9cda9f77
• Attackers stole 84,620,000 AAG worth approximately $856,552 in the following transaction: https://etherscan.io/tx/0x8ecac8544898d2b2d0941b8e39458bf4c8ccda1b668db8f18e947dfc433d6908
• Attackers stole 110,000 FXS worth about $573,100 in the following transaction: https://etherscan.io/tx/0x4a59c3e5c48ae796fe4482681c3da00c15b816d1af9d74210cca5e6ea9ced191
• Attackers stole 415,000 SUSHI worth about $518,750 in the following transaction: https://etherscan.io/tx/0x75eeae4776e453d2b43ce130007820d70898bcd4bd6f2216643bc90847a41f9c
• The attacker stole 990 AAVE, worth about $67,672, in the following transaction: https://etherscan.io/tx/0xc1c554988aab1ea3bc74f8b87fb2c256ffd9e3bcadaade60cf23ab258c53e6f1
• The attacker stole 43 WETH worth about $49,178 in the following transaction: https://etherscan.io/tx/0x698b6a4da3defaed0b7936e0e90d7bc94df6529f5ec8f4cd47d48f7f73729915
write at the end
write at the end
Compiled in CertiK'sWeb3.0 Security Status Report for the First Quarter of 2022"In the first quarter of 2022, it was shown that the main culprit of Web3.0 sky-high price attack losses is the risk of centralization, among which cross-chain bridges are the most vulnerable.
The risk factor of "centralization risk" could have been discovered through auditing in this attack. In addition to auditing, the CertiK security team recommends that new codes also need to be tested in a timely manner before going online.
