The Further Analysis of the Poly Network Attack

  • The Ontology relayer does not have enough validation mechanisms for the transaction from the Ontology chain.
  • The attacker can directly invoke the putCurEpochConPubKeyBytes function in EthCrossChainData without going through the Ethereum relayer, as long as there is a valid block on the Poly chain.
  • The hash collision as pointed out by Kevin (https://twitter.com/kelvinfichter/status/1425290462076747777)

0x.1 Transactions and Contracts

Ontology transaction -> Ontology relayer -> Poly chain -> Ethereum relayer -> Ethereum
0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270: EthCrossChainManager 0xcf2afe102057ba5c16f899271045a0a37fcb10f2: EthCrossChainData 0x250e76987d838a75310c34bf422ea9f1ac4cc906: LockProxy 
Transaction: 0xb1f70464bd95b774c6ce60fc706eb5f9e35cb5f06e6cfe7c17dcda46ffd59581
Transaction: 0xf771ba610625d5a37b67d30bf2f8829703540c86ad76542802567caaffff280c
Transaction: 0x1a72a0cf65e4c08bb8aab2c20da0085d7aee3dc69369651e2e08eb798497cc80

0x2. Attack Flow

  1. the attacker first initiated a malicious transaction (0xf771ba610625d5a37b67d30bf2f8829703540c86ad76542802567caaffff280c) on Ontology Chain;
  2. the attacker then modified keeper’s public key stored in the EthCrossChainData contract on Ethereum;
  3. the attacker finally crafted a malicious transaction to harvest crypto assets.

0x2.1 The First Step

0x2.2 The Second Step

0x2.3 The Third Step

0x3. Relayer

  • The attacker can construct a malicious transaction, which will be packed into the Poly chain
  • The attacker can directly invoke the functions in the EthCrossChainData smart contract on Ethereum

0x3.1 Ontology relayer blindly trusts the cross-chain transactions from Ontology

  • Side means the Ontology chain; Alliance means the Poly chain
  • CrossChainContractAddress is the native smart contract (number 09) on the Ontology chain

0x3.2 Bypass Ethereum Relayer

Credits

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Password Spraying Attack 🚿

{UPDATE} Zombie Terror Halloween Hero Hack Free Resources Generator

Cipher Suite or Cipher Sweet?

Checkout Smart Contracts Security Audit Scope.

{UPDATE} Hit Tennis 3 Hack Free Resources Generator

Cybersecurity Facts, Figures, Predictions And Statistics for 2019

{UPDATE} RGB Color Match Runner Hack Free Resources Generator

OvertheWire Bandit Walkthrough Level 0–11

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

Dopple Finance’s $KUSD and Synthetic Assets Manual Minting Analysis

Knownsec Blockchain Lab | All the past, all for the prologue — 2021 blockchain typical security…

Hacker abuses OpenSea to buy NFTs at older, cheaper prices🌊

New Integer Overflow Bug Discovered in Solana rBPF