Full Report
Article about all of the smart contract vulnerabilities of the year. I'm going through the hacks and findings one by one, but still wanted this documented for later. Good detailed writeups and a good list of articles!
Analysis Summary
Based on the article "Ethereum Smart Contract Auditor’s 2022 Rewind," here is the summary of the highlighted security flaws.
# Vulnerability: Multi-Vector DeFi and Bridge Exploits (2022 Rewind)
## CVE Details
* **CVE ID:** N/A (Most smart contract vulnerabilities are not assigned standard CVEs; they are tracked by project names/incident dates).
* **CVSS Score:** 10.0 (Critical - based on total loss of funds).
* **CWE:** CWE-670 (Always-Incorrect Control Flow Implementation), CWE-20 (Improper Input Validation), CWE-287 (Improper Authentication).
## Affected Systems
* **Products:** Wormhole Bridge (Solana/Ethereum), Optimism (L2 Rollup), BNB Bridge (BSC), various DAO governance protocols.
* **Versions:** Various 2022 production deployments.
* **Configurations:** Inter-chain bridges utilizing pre-compiled contracts and Merkle proof verification; DAOs with hidden UI parameters.
## Vulnerability Description
The article highlights several distinct technical flaws:
1. **Wormhole Bridge (Solana):** The attacker bypassed signature verification by replacing or spoofing Rust pre-compiled code instructions. This allowed the verification of forged "guardian" signatures.
2. **Optimism Geth Fork:** A flaw in the `selfdestruct` implementation. When a contract triggered self-destruction, the account balance was credited to the target address, but the source contract's balance was not immediately zeroed out in the state, allowing for token duplication.
3. **BNB Bridge (IAVL Library):** The bridge used a pre-compiled contract for Merkle proof verification. The underlying library was designed for efficiency but not for handling untrusted user input. Attackers crafted malicious proofs that the "naive" verification logic accepted as valid.
4. **Governance/DAO Flaws:** Use of "hidden" parameters (e.g., a "period" multiplier) that were not visible in the UI but were processed by the contract, allowing attackers to multiply reward amounts beyond what voters intended.
## Exploitation
* **Status:** All listed cases were **Exploited in the wild**.
* **Complexity:** High (Requires deep understanding of EVM/Solana internals and Merkle tree structures).
* **Attack Vector:** Network (External smart contract interactions).
## Impact
* **Confidentiality:** Low (Blockchain data is public).
* **Integrity:** Critical (Unauthorized minting of tokens and modification of account balances).
* **Availability:** High (Loss of protocol liquidity and temporary chain halts).
## Remediation
### Patches
* **Optimism:** Fixed by ensuring account balances are properly handled during `selfdestruct` sequences (L2 Geth update).
* **BNB Chain:** Updated the Merkle proof verification library to handle arbitrary user-provided proofs securely.
* **Wormhole:** Patched the signature verification logic and reinforced the security of pre-compiled contract calls.
### Workarounds
* **Bridge Halts:** Targeted pausing of bridge contracts during active exploitation.
* **UI/UX Audits:** Ensuring that all contract parameters capable of affecting fund distribution are rendered and verifiable in the governance frontend.
## Detection
* **Indicators of Compromise:** Sudden, massive minting events of wrapped assets (e.g., weETH, BNB); discrepancies between contract state and expected balance after `selfdestruct`.
* **Detection Methods:**
* Real-time monitoring of bridge mint/burn events.
* Static analysis of pre-compiled contract integrations.
* Formal verification of Merkle tree library implementations.
## References
* Optimism "Unbridled" Writeup: hxxps://www[.]saurik[.]com/optimism[.]html
* BNB Bridge Hack Analysis: hxxps://drdr-zz[.]medium[.]com/bnb-bridge-hack-eli5-explained-and-visualised-1fb2837c7a7e
* Ventral Digital Original Article: hxxps://ventral[.]digital/posts/2023/1/2/ethereum-smart-contract-auditors-2022-rewind/