link.png

ID:

moonbeam-network-1106

Date:

Status:

Incident Count:

May 27, 2022

Near-Miss

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

1,050,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Moonbeam Network

Network

Assets

Near-Miss

Extended Method:

Logic error in the handling of delegatecall

info.png

Days in Operation:

987

(2.70 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

The Moonbeam network is a smart contract platform for cross-chain connected applications that unites functionality from many blockchains including Ethereum, Cosmos, Polkadot, and more. It makes it possible for developers with Solidity or Vyper-based smart contracts to create multi-chain instances of their application that are able to communicate with each other.

Whitehat pwning.eth submitted a missing call check critical vulnerability to the Moonbeam network via Immunefi, demonstrating the possibility of a direct theft of the native assets, such as Moonriver (MOVR) and Moonbeam (GLMR), which were deployed using pre-compiled contracts. The Moonbeam team estimated that the vulnerability could have impacted up to $100m in funds, which was prevented due to the whitehat’s swift disclosure.

The critical vulnerability was related to how the context of delegatecall is handled. As found, there was no logic present under the Moonbeam pre-compiled contract to determine if the incoming call is DELEGATECALL or a static CALL in EVM.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.