In February 2022, the cross-chain bridge was the victim of an attack.  The attacker took advantage of a mistaken assumption in the blockchain protocol’s code to drain $4.4 million from the bridge and cause Hundred Finance, which relied on the bridge, to lose an additional $3.3 million in assets.

Inside the Attack

The attacker took advantage of an assumption within the protocol’s code regarding deposits of wrapped native tokens.  For example, a deposit of wrapped Ether (WETH) would not trigger a burn or lock of tokens because the wrapped ETH could be unwrapped and transferred to the handler contract.

The problem with this assumption is that Meter has two functions where users could make deposits: depositEth and the underlying ETH20 deposit function.  The depositEth function fulfills this assumption and validates the amount of value in the transaction’s calldata, which is the value that will later be passed to the deposit function.

The other deposit function does not fulfill this assumption or check that msg.value equals the amount specified within the calldata.  The attacker called this deposit function directly and passed it an arbitrary amount in the calldata.  This value was then sent to the handler’s deposit function, enabling the attacker to drain value from the protocol.

Hundred Finance was affected by the attack because the local price of BNB.bsc was depreciated due to the hack.  Exploiters were able to buy BNB.bsc at a discounted rate and use them as collateral for loans with Hunter Finance, who used the global Chainlink price for the assets.  As a result, the attackers could drain uncompromised assets from the protocol.  Two of the four opportunistic loans were repaid, leaving Hunter Finance out $3.3 million.

Lessons Learned From the Attack

The crucial assumption within the blockchain protocol’s code was made in a function that was a modified version of Chainsafe’s ChainBridge.  This assumption was valid for the function by which a user was “supposed to” make deposits, but another version was publicly accessible.  Since this other function also lacked the validation of the amount within the calldata, the attacker was able to trick the protocol into paying out much more than they put in.

This attack is similar to the recent Qubit hack, which also took advantage of a depositEth and deposit function with one crucial difference.  These oversights should have been detected during a smart contract audit, which would have prevented the theft of over $7.7 million in assets from Meter and Hundred Finance.

Rob Behnke