Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Aptos and Sui are protocols built in the Move programming language. Both of these projects use type constraint checker to improve the safety of programs before they are executed. The verifier is a very important for the security of the platform.

Move needs to build a Control Flow Graph (CFG) in order to verify the reference and locals safety checker. The CFG divides code into basic blocks then adds successor edges to where the code could potentially go, with at most two. This CFG is used by the verifier code in order to confirm everything is safe.

The vulnerability appears to be an edge case to prevent integer overflows. If the index of the code was the maximum 16 bit integer, then an empty sets of edges were returned. This can be seen in the code snippet at here. Without the edge, the verifier will never check this edge but the code will still be executed! The difference between the use and the check is the problem.

In Move, there is the concept of a Hot Potato. This is when a program gives some code that an address must invoke. With a flash loan, this requires the user to run code in order to pay back the flash loan. If we could get rid of the flash loan amount or the callback itself, it would be horrible for the program.

Using the vulnerability in the verifier above, we can bypass this check! We force the unverified block to be code that would overwrite the value of the flash loan that we need to provide. Normally, the verifier would catch this not allowing us to write to this section. This is just an example of how this can be exploited though.

Overall, a super interesting bug in how the Move programming language must operate. Aptos labs has a 1M bounty on vulnerabilities that lead to lost of funds and is very concerned with the security of the platform.