Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Polygon is a blockchain platform. They have implemented a bridge called the Plasma Bridge. A user can go from one blockchain to another with their funds using this bridge.

Transferring funds between blockchains is complicated. Tokens must be locked in one place then appear in another. In order to do this securely, the authors have created an implementation of a Merkle Proof. In particular, the burn transaction (exit) receipt is verified this way.

Within a Merkle proof, the branchMask is used to keep the system secure and must be unique. This is important, since this was the ID that was being confirmed for a exit being executed or not.

The branch mask is decoded by the MerklePatriciaProof.verify and once again at WithdrawManager.verifyInclusion. The decoding of the second function ignores several values while decoding it. Since the branch mask id can have many different variations from this bad decoding and this is used for an ID we have a problem.

The uniqueness of this ID is not 100% true then. The replay attack can be a completely valid receipt but with a separate branch mask. In particular, this lead to 224 ways to execute the same ID. This allows the stealing of money from the contract when going between chains.

The branch mask should always be 0x0 for the mask. Since this was not check, the particular attack mentioned above was possible. Overall, a fascinating bug from the improper validation of cryptography.