Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Poly is a cross chain protocol. It is essentially a bridge between two contracts.

In order to do this, a special contract gets called from an EOA to update the state from blockchain to blockchain. In the case of Ethereum, there are two very privileged contracts: EthCrossChainData and EthCrossChainManager. EthCrossChainData can only be invoked by contract owners. It is used to manage the keys for nodes and many other sensitive operations.

EthCrossChainManager can trigger messages from another chain to the Polychain. To do this, the function verifyHeaderAndExecuteTx within this contract is called with a poly contract to execute. This is intended to ONLY call functions with a specific solidity function ID though.

The calculation of the function is done with bytes4(keccak256(abi.encodePacked(_method, "(bytes,bytes,uint64)"))). A user controls the parameter _method. Since functions are literally just the code above, if an attacker could specify a DIFFERENT method ID, they could call arbitrary functions in the contract. This requires brute forcing the hash because of the function signature though.

Remember how the EthCrossChainData contract can only be updated by owners? Well, we can proxy the request with the previous bug, since EthCrossChainManager is an owner of it! By proxying a call to this with the previous bug, we can call sensitive functions! In particular, putCurEpochConPubKeyBytes adds a public key to the contract for verification.

By adding a public key, we can sign our own transactions now! This is how the attacker stole all of the money; a crazy 610 million in USD. Damn.

Function calls used to proxy requests should be carefully audited in applications. This one bug lost a fortune for the platform.