On April 24th, a critical vulnerability in the XBridge contract was exploited. The attacker used this vulnerability to steal user funds that had been registered for bridging using XBridge. This resulted in an estimated loss of $1.6 million in a combination of STC, SRLTY, and Mazi tokens.

Overview

Attacker address: https://etherscan.io/address/0x0cfc28d16d07219249c6d6d6ae24e7132ee4caa7

Vulnerable contract: https://etherscan.io/address/0x354cca2f55dde182d36fe34d673430e226a3cb8c#code

Attack Tx Step1 (re-register owner) : https://etherscan.io/tx/0xe09d350d8574ac1728ab5797e3aa46841f6c97239940db010943f23ad4acf7ae

Attack Tx Step2 (withdrawToken): https://etherscan.io/tx/0x903d88a92cbc0165a7f662305ac1bff97430dbcccaa0fe71e101e18aa9109c92

Exploit Analysis

• The XBridge contract allows users to register their tokens to be bridged between chains. The token owner can then deposit tokens to act as a liquidity provider for bridging, and they may withdraw their tokens at any time.

  When the owner lists their token using the listToken function, their address is registered as the _tokenOwner. This grants them the ability to deposit and withdraw the _baseToken. However, the function only checks if the pair is set up. It lacks a check to prevent someone else from re-registering the _baseToken with a different pair, allowing them to become the _tokenOwner.

• The attacker waits for the real token owner to list and deposit their tokens. They then exploit the vulnerability by re-calling the listToken function with a different pair (while keeping the _baseToken the same). This allows them to become the token owner and maliciously withdraw all liquidity from the bridge contract.

Conclusion

Bridge contracts play a pivotal role in enabling cross-chain communication and asset transfers in the blockchain world. Unfortunately, they also present a major security risk. Since they often hold large quantities of assets across multiple chains, bridge contracts make an attractive target for hackers, and any successful exploit can lead to devastating financial losses.

To strengthen bridge security, the following measures are essential:

• Implement Robust Risk Control Mechanisms: Bridges should have proactive risk control strategies. These include regular monitoring, limits on asset holdings, and emergency shutdown procedures in the case of suspected attacks.

• Prioritize Security Audits: All blockchain projects (smart contracts, backends, wallets, or dapps), especially bridge contracts, should undergo thorough security audits by reputable firms. This helps uncover potential vulnerabilities before code deployment.

• User Vigilance: Token owners should exercise caution when selecting bridges. Research projects thoroughly, examine bridge contracts and systems carefully, and whenever possible, give preference to bridges that have undergone successful audits.

The security of bridge contracts is not only a project-level concern; it requires a collaborative effort across the entire blockchain community. By sharing best practices, staying vigilant, and prioritizing security, we can create a safer and more trustworthy environment for cross-chain interactions.