Rewards - Bug Bounties
Withdrawn function logic error
Days in Operation:
Aurora is an EVM (a fully operational environment for Solidity smart contract execution) existing on the NEAR blockchain. However, from Aurora’s perspective, it is an L2 network that allows using assets and contracts as though they were on Ethereum. And that’s with leveraging the high throughput and low fees of NEAR blockchain.
An anonymous whitehat submitted a critical vulnerability to Aurora via Immunefi, which consisted of a withdrawal logic error. At the time of the submission, on block 14970303, 50550.9 ETH was on the vulnerable contract. Given that the average price for ETH that day was ~$1,245, the funds at risk amounted to $62,935,870.
Aurora has a flaw in the withdraw function that it was possible to use the Echo contract to steal the funds from the EthCustodian contract without burning any tokens on the Aurora side. First, an attacker had to create a malicious payload, which would be correctly deserialized to the BurnResult struct. Then, all a malicious user needs to do is call the view function in the Aurora, which will call the Echo contract with the above payload. By doing so, the NEAR blockchain will record a valid and successful transaction containing the payload decodable by EthCustodian.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.