Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Before even diving into the target itself, the author goes through how they themselves pick a target. Ecosystem: the more mature the thing, the more bugs it's going to have. TVL range: very large, lots of auditors, very small, fewer audits. Project type: knowing common pitfall in specific functionality can quickly allow for understanding a project. Forks: if a bug is found in a project with many forks, then many things are vulnerable. Additionally, changes to forks can be easily diffed.

They then talk about going for depth, breath and speed. Since they were browsing this in their free time, I'm guessing they were looking for going for speed. They tend to look for things with a TVL of 5M+ and nice bug bounties.

The sendFrom() function is responsible for sending staked users' tokens across chains. Additionally, a user can allocate allowance to another user for these cross-chain calls. Inversely, the function _debtFrom() checks that the user calling sendFrom() has been allocated the proper allowance from the send address. If this is true, it burns the tokens then sends them off to another chain.

The allowance check is where the bug sits. Instead of checking the classic mapping of owner->spender->amount as they should, it instead was checking spender->spender->amount. Since an attacker now controlled both of these, they could allow themselves to spend their own value then spend the funds of other users arbitrarily. Yikes!

This attack could have stolen $3M worth of funds. It's insane that such a simple bug went through the cracks through audits. Good find none-the-less.