5.2 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
22.7%
A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge.
Despite this exploit requiring access to a validator’s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.
The steps to carry out this exploit are as follows:
txId
field of the ChainEvent to any valid, but different, valueThe key to this exploit is in step 4. The txId
field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the txId
of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.
The impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:
Chain Event | Allows | Consequence |
---|---|---|
Deposit | Generation of unlimited funds of any asset | Withdrawal of all assets |
Stake Deposit | Delegate unlimited Vega to a single node | A single node has controlling amount of voting power |
Stake Removed | Force a Validator node to drop below self-stake requirements | Prevents reward payouts |
Bridge Stop | The Vega network to think the bridge is stopped | Prevent anyone from withdrawing funds |
Signer Removed | The Vega network to think a validator nodes is not on the multisig contract | Prevent reward payouts |
v0.71.6
No work around known, however there are mitigations in place should this vulnerability be exploited:
mainnet1
, in place to identify any issues of this nature including this vulnerability being exploitedN/A
CPE | Name | Operator | Version |
---|---|---|---|
code.vegaprotocol.io/vega | lt | 0.71.6 |
5.2 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
22.7%