Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A consensus method is how a group of entities come to a single source of truth. Bitcoin and Ethereum uses proof of work in order to do this. Newer blockchains are using proof of stake. This means that money is put into the pot to demonstrate that the environment means something to them. These stakers or validators are important to the ecosystem for ensuring everything is done properly.

In Polygon, a layer 2 blockchain solution, there is a list of Validators for proving that a transaction was done correctly. In order to become a validator, you must stake or give up your token to the blockchain. There is a limit of 100 validators for this ecosystem at a time though.

There is a struct in Solidity for keeping track of this information with two fields: validatorState.amount and validatorState.stakerCount. The amount is the amount of tokens staked, which is the staking power. The stakerCount is the total number of stakers in the contract, which is likely to be 100.

When a validator unstakes, the counter of the validatorState.amount updates by subtracting the amount of the user who provided the value. This allows users to stake and unstake as they would like, collecting rewards when they unstake.

There is an additional piece of functionality that is important for this vuln: delegation migration. A user can migrate their delegated token amounts from one validator to another. Importantly, this can be done without losing the amount of tokens by the original user; meaning, they can unstake the delegated tokens themselves.

The vulnerability arises from a double subtraction error. When migrating from one account to another, the validatorState.amount is updated to subtract the amount of token delegated. Additionally, when the original user wants to retrieve their unstaked token, they still can! This means we can subtract from validatorState.amount multiple times.

By doing this double subtraction, over time, we can shrink the validatorState.amount variable to be very small. At this point, we could override updates with the 2/3 rule to control the network.

The bug finder only got 75K for this bug instead of the several million they probably deserve. This was explained away by the complexity of time consuming nature of the bug, with very specific network circumstances. However, a bug at the core of the consensus network could have led to a complete take over of the network! Regardless, a fascinating bug.