Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Multichain, formerly known as AnySwap, is an infrastructure for a multi-blockchain ecosystem. As with cross-chain protocols, it is simply a bridge that allows the transferring of tokens from one chain to another by creating their own token on each platform.

A white hat hacker reported a vulnerability in the platform. The issue was immediately fixed but the users needed to revoke permissions in order to completely fix the problem.

What was the issue? AnyswapERC20 and AnyswapRouter assume that the function permit is implemented for all token contracts. This function is used to make the gasless approval of token transfers. Since some of these contracts had fallback functions, that was triggered instead of the permit code.

Since permit checks to see if a user is able to send the funds, the complete removal of this code bypasses a very important security check. Hence, an attacker can steal all funds being used from permits. This is possible if two situations are met:

• Permit is NOT implemented.
• There is a generous fallback function on the token.

Why only permits though? The check that gets broken is validating the permit or from of the code. As a result, if there are ANY permits about an address, an attacker is able to steal these funds. To launch the attack, they need to trade a token that meets the criteria above. When they attempt to run this code for transferring funds from another user, there is no limitation on the amount of funds sent.

To me, it is interesting to note that the logic for a smart contract reverting is from the Solidity compiler itself. If a function exists, it is sane to think that the code wouldn't run - but the fallback breaks this assumption. If you try to call code at an address that has no code, this will run STOP (which is a success) instead of REVERT as well.

This researcher was paid out 2 million dollars (1M to each contract with this bug). The niceness of the smart contracts is fascinating to me; why wouldn't a function that cannot be resolved just revert? Hmmm, such as weird eco-system. An additional exploit link is here.