Compromised / hacked #17
Comments
|
This is the attack in detail: The attacker computed the 32-bit ID for putCurEpochConPubKeyBytes: The attacker brute-forced a string that, if set as _method in the code snippet above, gives the same 32-bit value. In this case the attacker used the string “f1121318093”: The attacker called a cross-chain transaction from the Ethereum network to the Poly network by triggering EthCrossChainManager and targeting EthCrossChainData, and passing the string f1121318093 as _method, and the public key of their own Ethereum wallet as a parameter. This triggered EthCrossChainManager into calling the function putCurEpochConPubKeyBytes within EthCrossChainData, and demanding the attacker’s public key to be registered as a Keeper’s. EthCrossChainData executed such command, since EthCrossChainManager is its owner. Once the transaction was executed and the attacker was granted the status of Keeper for the Ethereum blockchain, the attacker proceeded into using the corresponding secret key in their possession to funnel tokens out of Poly’s Ethereum wallet into their own wallet. The attacker repeated the above for other Poly liquidity wallets: Binance, Neo, Tether, etc. |
|
Fix: remove ownership from https://github.com/polynetwork/eth-contracts/blob/d16252b2b857eecf8e558bd3e1f3bb14cff30e9b/contracts/core/cross_chain_manager/logic/EthCrossChainManager.sol over EthCrossChainData.sol contract, use multi sig instead |
|
is it a valid bug on poly network?? were you able to exploit? |
It was in the news on Aug 10th :-) |
eth-contracts/contracts/core/cross_chain_manager/data/EthCrossChainData.sol
Line 45 in d16252b
The text was updated successfully, but these errors were encountered: