xDai Stake Arbitrary Call Method Bug Postmortem

Summary

On August 1, whitehat 0xadee028d submitted an arbitrary method call vulnerability in xDai to Immunefi. The vulnerability was assessed to have a severity level of medium, but was out of scope of xDai’s bug bounty program. Additionally, the bug only allowed a potentially malicious hacker to gain access to funds in a contract that users were never supposed to send funds to in the first place.

At the time of the report, however, a user had accidentally sent $4.50 in renBTC to the contract 10 months prior, which amounted to the total funds at risk. If users had sent more funds to that contract, more would have been at risk, and the same holds for any funds sent to that contract in the future. Despite the vulnerability being out of scope, xDai generously decided to pay out a bounty of $5,000 USDC to the whitehat.

Vulnerability Analysis

xDai operates as an Ethereum sidechain, and there is a bridge between the Ethereum Mainnet and the xDai chain that allows users to pass arbitrary messages from one chain to another — an Arbitrary Message Bridge (AMB). One part of the bridge is the contracts deployed on both chains. They can be used by EOA or other contracts to execute contracts on another side of the bridge.

Since the AMB contracts allow calls of any method of any contract, a malicious attacker could compose such a message that would execute a token transfer on behalf of the AMB contracts.

Although the AMB contracts are not intended to own any tokens, some users could still mistakenly send them to them. As soon as the attacker discovers such tokens, they could be stolen.

It is necessary to note that the OmniBridge contracts, which are intended to keep funds sent through the AMB, are not affected by this vulnerability.

Vulnerability Fix

xDai plans to introduce a monitor on the AMB contract to watch for Transfer events, so that the team will be able to identify locked tokens before they could be accessed by someone else.

Acknowledgements

We’d like to thank the xDai team for its generosity in paying out a bounty of $5,000 to whitehat 0xadee028d, even though the vulnerability was out of scope and hence not eligible for payout. To report additional vulnerabilities, please see xDai’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like xDai, visit the Immunefi services page and fill out the form.