Whitehat 0xadee028d submitted an arbitrary method call vulnerability in xDai to Immunefi. The vulnerability was assessed to have a severity level of medium, but was out of scope of xDai’s bug bounty program. Additionally, the bug only allowed a potentially malicious hacker to gain access to funds in a contract that users were never supposed to send funds to in the first place.

At the time of the report, however, a user had accidentally sent $4.50 in renBTC to the contract 10 months prior, which amounted to the total funds at risk. If users had sent more funds to that contract, more would have been at risk, and the same holds for any funds sent to that contract in the future. Despite the vulnerability being out of scope, xDai generously decided to pay out a bounty of $5,000 USDC to the whitehat.

xDai operates as an Ethereum sidechain, and there is a bridge between the Ethereum Mainnet and the xDai chain that allows users to pass arbitrary messages from one chain to another — an Arbitrary Message Bridge (AMB). Since the AMB contracts allow calls of any method of any contract, a malicious attacker could compose such a message that would execute a token transfer on behalf of the AMB contracts.