Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chainlink is a network used by many, many blockchains for several things. It provides oracles for prices on tokens, random numbers and much more.

As such a major part of the ecosystem, they take security very seriously. They have the best of the best audit their software and have a very big bug bounty program on HackerOne and Immunefi. They've gotten audits from Code4rena and other top firms.

Trust (OG auditor) and another researcher Zach (LSR at Spearbit) found a very niche flaw in the Verified Random Function (VRF) system. When generating random numbers, the flow works as follows:

1. Request randomness to the Chainlink contract. This emits an event that will be acted upon.
2. A callback from Chainlink is made to deliver the random number with a proof.

A subtle but important thing is that the the random number sent should be the only one sent. Why is this important? If a user can force a redraw arbitrarily, then the system becomes unfair. For instance, if a user doesn't like a number, then they can just re-request the randomness until it's favorable. With bad setups, this can be an issue with Chainlink.

The issue is that the subscription owner role within a Chainlink can block randomness from coming in then force a redraw. This role is typically reserved for a member of the hosting DApp, making it a very privileged position.

The hackers were given a 300K bounty from Immunefi for the critical finding. To me, having a privileged role being able to redraw randomness doesn't feel like this big of a finding. However, considering this is Chainlink which supports many use cases, they want to ensure that in a completely decentralized application that a single role cannot abuse Chainlink. Good write up!