Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Is the Move Language Secure? The Typus Permission-Validation Vulnerability
SlowmistPosted 4 Months Ago- Typus Finance on the Sui blockchain suffered a hack recently of about 3.44M USD. This article explains the vulnerability and the exploit itself.
- Typus Finance has an oracle that contained the following code:
public fun update_v2( ... ) { // check authority vector::contains(&update_authority.authority, &tx_context::sender(ctx)); version_check(oracle); update_(oracle, price, twap_price, clock, ctx); } - The code above attempts to update the price of an Oracle. The object
UpdateAuthoritycontains a list of trusted updater addresses. The intention ofvector::containsis to check that the caller is indeed trusted. The problem is that this doesn't revert the execution. It returns a boolean, and that's it. So, the access control check fails. - What's the consequence of this? If you can update the price of the oracle, then you can manipulate the entire protocol. In functions like
swap(), it utilizes the oracle to determine the price of the asset, rather than the standard constant-product formula. So, an attacker would simply drop the price of the asset and execute a highly discounted trade for the desired asset. - They carried out this attack on 10 different pools to steal a substantial amount of funds. They then transferred the assets through CCTP to the Ethereum blockchain.
- The vulnerability is a classic case of mishandling errors. Similar to
assert()not being enabled in production builds, this lets an invalid state get through. Good write-up!
