Know that Chuangyu Blockchain Security Lab |Meter.io attack event analysis

preface

On the evening of February 5, 2022, Beijing time, the Meter.io cross-chain protocol was attacked, losing about $4.3 million. Know that Chuangyu Blockchain Security Lab tracked this incident for the first time and analyzed it.

analyse

Basic information

tx（Moonriver）：0x5a87c24d0665c8f67958099d1ad22e39a03aa08d47d00b7276b8d42294ee0591

Attacker: 0x8d3d13cac607B7297Ff61A5E1E71072758AF4D01

Bridge：0xFd55eBc7bBde603A048648C6eAb8775c997C1001

ERC20Handler（depositHandler）：0x5945241BBB68B4454bB67Bd2B069e74C09AC3D51

Vulnerability principle

The key to the vulnerability lies in the diposit function of the cross-chain bridge contract, the deposit function will take the corresponding dipositHandler according to the sourceID, and call the diposit function for the actual pledge logic.

In the diposit function of the demoHandler, there is a logic flaw, when the tokenAddress is not the _wtokenAddress address is burned or locked, if it is _wtokenAddress the part of the process is directly skipped.

The flawed logic judgment may be based on the fact that the projectETH function in the cross-chain bridge contract will convert the chain platform coin to wToken and then transfer it to the postHandler address, so when the postHandler executes the proposal logic, the token transfer has been processed, so the token processing logic is skipped.

However, the diposit function of the cross-chain bridge contract does not handle token transfer and verification, and when the divesiHandler executes the diposit, if the data data is constructed to meet the tokenAddress == _wtokenAddress it can bypass the processing and realize the empty glove white wolf.

summary

The core reason for this attack is that Meter.io there is a logical judgment defect in the cross-chain bridge depositHandler pledge processor, which satisfies the logical scenario of the cross-chain bridge contract dipositETH, but ignores the bypass defect of the diposit logic scenario.

Recently, various contract vulnerabilities and security incidents have occurred frequently, and it is necessary to implement contract audits, risk control measures, and emergency plans.