Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Celer is a blockchain protocol that enables cross-chain communication. It is built on top of Cosmos with the Stage Guardian Network (SVNv2). Validators of SGN are responsible for monitoring the on-chain contracts then forwarding them to the destination chains. The author points out that the on chain code is usually public while the internal infrastructure is not.

The bridge works by using send to one of the liquidity bridge contracts. This locks the tokens on that bridge then emits a Send event to describe the details of the transfer. This will be picked up by a SGN node to call MsgProposeUpdates to update the contract.

To prevent malicious updates, there is a voting mechanism in place. A node votes on the outcome of the proposal by sending MsgVoteUpdates, which consists of yes and no for active proposals. The sync module takes in votes and adds them to a structure. At the end of the block, the function iterates through the updates to ensure that all items passed with a 2/3 vote.

The EndBlocker function does not validate if somebody has voted multiple times. Using this, an attacking validator could vote multiple times. Yikes! Breaks the entire voting system. This results in directly lost funds, since they can spoof onchain events such as bridge transfers and much more.

Celer has several mechanisms in place to prevent complete stealing of all the funds. First, there is a delay for large values on the bridges. This Volume Control contract will give time for the developers to act. Secondly, the contracts are pausable, with automatic triggers to stop contracts. Overall, a fairly simple bug in complicated architecture.