A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vegaâs Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a partyâs general account on Vega, can be re-processed 50 times resulting in 5000USDT in that partyâs general account. This is without depositing any more than the original 100USDT on the bridge.
Despite this exploit requiring access to a validator’s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.
The steps to carry out this exploit are as follows:
1. Cause an Ethereum event on one of the bridge contracts e.g a deposit to the collateral bridge, or the staking bridge
2. This will result in the Ethereum-event-forwarder of each node to submit a ChainEvent transaction to the Vega network corresponding to that event
3. Scrape the valid chain event transaction from the Tendermint block data using a nodeâs Tendermint API
4. Change the value of the `txId` field of the ChainEvent to any valid, but different, value
5. Bundle the tweaked ChainEvent into a new transaction, sign it with a validator key and resubmit to the Vega network
6. The fraudulent ChainEvent will be processed by Vega as if it were a new ChainEvent even though it did not occur on Ethereum
The key to this exploit is in step 4. The `txId` field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the `txId` of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.
### Impact
The impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:
| Chain Event | Allows | Consequence |
| ————- | ————- | ————- |
| Deposit | Generation of unlimited funds of any asset | Withdrawal of all assets |
| Stake Deposit | Delegate unlimited Vega to a single node | A single node has controlling amount of voting power |
| Stake Removed | Force a Validator node to drop below self-stake requirements | Prevents reward payouts |
| Bridge Stop | The Vega network to think the bridge is stopped | Prevent anyone from withdrawing funds |
| Signer Removed | The Vega network to think a validator nodes is not on the multisig contract | Prevent reward payouts |
### Patches
v0.71.6
### Workarounds
No work around known, however there are mitigations in place should this vulnerability be exploited:
– there are monitoring alerts, for `mainnet1`, in place to identify any issues of this nature including this vulnerability being exploited
– the validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited
### References
N/ARead More