Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Meter.io is cross-chain bridge. A Wrapped token is a token that is tied to the value of another currency, such as the USD. In this case, it was wrapped ETH vs. unwrapped (regular) ETH handling.

For wrapped tokens, there are assumptions being made. For instance, wrapped tokens should not be able to burn (remove coins from circulation) or locked while wrapped.

A user could make a deposit to the contract with two different functions: depositEth and the ETH20 deposit function. One of the functions validates that the callData and msg.value are the same. However, the other does not make this check in a require statement.

Why is this bad? An attacker can specify how much money to deposit in the callData without sending over any money. Then, they can withdraw this money, draining the contract of funds.

This was an open source project that got forked into this. Unknown code and assumptions can lead to major security flaws, when not handled correctly.