Full Report
tBTC is a bridge that brings BTC to the Ethereum network. This is done using the threshold protocol. Redemption's requested when going from BTC to tBTC on Ethereum can be rquested. Then, a list of decentralized relayers using a multi-sig wallet must approve the transaction that occurred. The threshold is 51/100. FTX got "hacked" a while ago. Well, did they? Or was this Sam just hiding money? We're not really sure. Anyway, some of this money was moving through the network and somebody noticed. A hacker noticed. Somebody found a way to pause the tBTC network network. This was done by manually crafting a transaction that caused the validator signing clients to stop working. In particular, the client thought that the wallets were busy and unable to service anymore requests. An 0-day was dropped! There's a second bug that's more of a design flaw than anything else that allowed the first bug to be possible. There is only a single approver address nominated by the DAO, creating a single point of failure. If this was compromised then the whole thing would be shattered. Further, any system that requires specific approval can have an issue like this. So, instead of using an approval based mechanism they decided to move to a veto-based setup. They describe this as all things going through by default but specific addresses have the ability to veto or pause transactions. This is similar to the Guardian role in optimistic minting. Overall, interesting post on a DoS bug within a popular protocol. The design decision discussion is very fascinating to see as well.
Analysis Summary
# Vulnerability: tBTC Denial of Service via Crafted BTC Transactions
## CVE Details
- CVE ID: Not assigned in the source material. (Described as a "0-day" exploit deployed).
- CVSS Score: Not assessed in the source material.
- CWE: CWE-400 (Uncontrolled Resource Consumption, related to DoS).
## Affected Systems
- Products: tBTC Protocol (Threshold Network).
- Versions: Pre-patch client versions handling BTC redemption validation logic.
- Configurations: Environments where redemption requests are finalized via a multi-sig signatory group requiring status verification between BTC deposits/redemptions.
## Vulnerability Description
The vulnerability is a Denial of Service (DoS) that affects the tBTC redemption process. An attacker manually crafted specific Bitcoin transactions directed to two of the tBTC wallet signers. These crafted transactions tricked the tBTC signing clients into believing the wallets were "busy" processing funds, thus preventing the clients from servicing outstanding tBTC redemption requests. This state persisted indefinitely (or until the manual intervention/patch fixed the underlying logic), effectively pausing all outstanding redemptions, including one associated with FTX funds.
A secondary design flaw contributing to the ease of exploitation was the reliance on a single, nominated approver address (a single point of failure) in the `WalletCoordinator` contract.
## Exploitation
- Status: Exploited in the wild (by an unknown third party who targeted FTX-associated funds).
- Complexity: The technical mechanism was a "simple 0-day exploit." The complexity of *crafting* the malicious BTC transaction to trigger the client state change is likely Medium to High, as it required specific knowledge of the client's "busy" state logic.
- Attack Vector: Network (via sending malicious raw BTC transactions).
## Impact
- Confidentiality: No stated direct impact.
- Integrity: No stated direct impact on existing tBTC balances or the protocol's core logic beyond the temporary blockage.
- Availability: **Critical**. The entire tBTC redemption functionality was halted/paused.
## Remediation
### Patches
- The first bug (the DoS vector) was patched and released shortly after discovery (around October 2, 2023). Specific version numbers are **not provided** in the source material.
### Workarounds
1. **Administrative Intervention:** Initial monitoring systems alerted contributors, allowing the dev team to prepare a patch.
2. **Design Change Discussion:** The protocol is discussing moving from the current *approval-based* flow to a *veto-based* (optimistic redemption) flow to prevent similar single-point-of-failure or approval-based roadblocks in the future.
## Detection
- Indicators of Compromise: Blocking of all outstanding tBTC redemption requests without an expected resolution time. Sudden, unusual activity/state reported by tBTC signing clients indicating wallets are "busy."
- Detection Methods and Tools: Alerting and monitoring systems used by Threshold DAO contributors detected the issue promptly.
## References
- Vendor Advisories: Threshold Network Blog Post "A tale of two bugs" (Oct 7, 2023).
- Relevant links - defanged:
- `hXXps://threshold.network/blog/a-tale-of-two-bugs/`
- `hXXps://etherscan.io/tx/0x0b3796cf79fe87d15dfe9bd038941adc9ccb693694c28bbacba12989d48f0c78?ref=threshold.network` (Example redemption request)
- `hXXps://mempool.space/tx/afbd1e38fd6cf282b1d42973d7c0b52705b9b311c08ea49e50ba9a6d4faff582?ref=threshold.network` (Example malicious BTC transaction)