Hashi Bridge Post-Mortem

What went wrong?

function sendERC20ToSidechain( 
bytes32 to,
uint amount,
address tokenAddress)
external
shouldBeInitialized shouldNotBePreparedForMigration {
IERC20 token = IERC20(tokenAddress);
require(token.allowance(msg.sender, address(this)) >= amount, “NOT ENOUGH DELEGATED TOKENS ON SENDER BALANCE”); bytes32 sidechainAssetId = _sidechainTokensByAddress[tokenAddress];
if (sidechainAssetId != “” || _addressVAL == tokenAddress || _addressXOR == tokenAddress) {
ERC20Burnable mtoken = ERC20Burnable(tokenAddress); mtoken.burnFrom(msg.sender, amount);
} else {
require(acceptedEthTokens[tokenAddress], “The Token is not accepted for transfer to sidechain”);
token.transferFrom(msg.sender, address(this), amount);
}
emit Deposit(to, amount, tokenAddress, sidechainAssetId);
}
  • The function produces the Deposit event at the end, which determines the amount of tokens to be deposited to the SORA network account from the SORA bridge account.

Attack Angle

  • The Hacker 0x743143F37D1E901494aBa15D1E8463806663e822 created a new smart contract that emitted a Deposit event (with the same name and parameters).
  • This transaction happened on Mar-14–2022 09:04:35 UTC+1 and produced a fictitious Deposit event, that was consumed by the SORA bridge, depositing more tokens in the SORA network than were actually deposited on the Ethereum side.
  • On the SORA side, request_from_sidechain was called by the hacker which took the event from the hacker’s smart contract.
  • The account 0xd04a1ac0a2e9e81407555881600ceb1fe0d9a5bf received 0.1 ETH from Tornadocash to perform the attack and withdrew 150ETH, which was almost immediately sent back to Tornadocash and broken down into smaller amounts. The attacker’s SORA account cnUt4e1wvUWKghRxgeKZrxoyonjW5iFh5nhRJuqF6EyBgtuecwas identified as well.

Attacker Information

  • Following the breadcrumbs, it was revealed that the account 0xd04a1ac0a2e9e81407555881600ceb1fe0d9a5bf performed the attack after receiving 0.1 ETH from Tornadocash, and then, after receiving 150 ETH from the bridge (9:04 am), the amount was broken down (9:11 am) into 100 ETH, then 4 x 10ETH and 9x 1ETH and 5x 0.1 ETH on Tornadocash respectively. The 100 ETH was refunded, but the remaining amount broken down into 18 separate pieces amounting to 50 ETH was not recovered, as it was distributed amongst the flagged addresses.
  • For the next two days, the flagged account 0x743143F37D1E901494aBa15D1E8463806663e822 received ETH from Tornadocash and proceeded to send 9.7 ETH to the ENS address arnavgupta.eth
  • The ENS address arnavgupta.eth has received transfers from 0x743143F37D1E901494aBa15D1E8463806663e822 as well as the Hashi Bridge.
  • The attacker tried the exploit angle again from the account 0x39e36272efe6677bfab32b5bd5da15498a38afc9 and sent funds to 0x743143F37D1E901494aBa15D1E8463806663e822 (The transactions 0.01 Contract & ETH, as well as 0.06 contract and ETH by this address, correspond to interactions with the Hashi Bridge)
  • cnVvKzpuhamBeRmmWFyxRctkigqvVrfmCiRf4FpT3bydiS8c5
  • cnUybhZSiHRD2gJseyPLPY8sv8LBN3iYcbApQh1CbkZWjzGPq
  • cnVet8ujYypSrLD7upsknWyrUNBHMon1sbZ5tQJFECeCkWXsw
  • cnWAHWjjLkcTLSSKV2grAnS1NK16gmYp4sS2bsd2HRTYswFui
  • cnTBKrrZrB3zpNLH3tKvsQmx29LojKjqPqQ6tAbHRdg1hY7Lo
  • 0x1f289da34192316918b2cbb4df0c39eca3847fb5
  • 0xf58ba06e5b1e8e11535e35c936e3c97c2eba6594
  • 0xbe89aaf61b3ee2d26521aa740b6a06bbe88a11dc
  • 0xc8b9d903f1670ffc0900bf2aa56853dd161123fe
  • 0x640f4e28f6485c118e1b350b6357d7300c03b637

How Was it Fixed

  1. Fast action: Bridge was stopped in order to prevent further hacks.
  2. The smart contract address on the SORA side was checked during the Deposit event processing
  3. A mainnet runtime upgrade with a bridge fix was immediately implemented.
  4. The hacker was pinpointed and called out, which led to a refund of 130 ETH of the total 150 ETH compromised.

How Will Further Attacks be Prevented

Social Insurance for Systemic Infrastructure Claim

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store