About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Acala Block Production Shutdown Bug Fix Review - 1680

ImmunefiPosted 8 Months Ago
  • Acala is an L2 blockchain built around the Polkadot ecosystem. Polkadot acts as the relay chain which coordinates with other blockchains in the network. Acala, in this system, is referenced to as a "Parachain". The parachain is able to create lots of custom functionality for their needs.
  • On a Parachain, there are para-validators. These validators are responsible for block creation and block finalization on a specific block.
  • Home module specific to Acala is the Homa module. Homa is a Tokenized Liquid Staking Protocol. The idea is that DOT (Polkadot tokens) could be put into the module and a representation called LDOT returned to the user. Everyone wins - the protocol has more funds to use in staking, the user gets a little bit of that profit and the user is able to use LDOT on the blockchain for other things. If a user wants to withdraw their DOT token, the user submit an unbond request. Every 24 hours all of the unbond requests are processed at once.
  • The vulnerability is something relatively simple but complicated to know if it's exploitable: a missing size limit on the amount of unbond requests. Since this list of unbounded (see what I did there), it can be filled up and force the blockchain to process too many in a single call. There's just a big loop that it iterates over.
  • When I see vulnerabilities like this, I think "PoC or GTFO". Is this actually exploitable? In reality, it is! The blog post says that Acala blocks have a time limit and if this isn't met then the chain halts. By creating 22K withdrawal requests, it slows down the chain enough to prevent the block from being created.
  • The payout was interesting to me. According to Immunefi, a Governance proposal takes 15 days to go through on Acala - meaning that a downtime of 15 days is likely because the proposal is required for the upgrade. Additionally, DefiLlama has a 15 day volume of 712K per day. Given that the payout should be 10% of that, the whitehat got 10% of it.
  • To me, this calculate is strange. If a chain was indeed really down the governance would pass significantly faster. Additionally, a denial of service paying 10% of funds at risk is weird to me; it's an L1 that can fix the chain. The funds were never permanently stuck, like if it was a smart contract that couldn't be changed.
  • A good bug, a good payout and a good writeup!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed