Breaking the Bridge: Hacking Wrapped Coins and Tokens

okay ladies and gentlemen our third presentation of uh the morning is actually by six thank you hello everyone so you have probably already seen many smart contract hacks and it's kind of simple uh solidity-based vulnerabilities on the blockchain space and i thought uh it's a good idea to bring a little bit more complex things uh to this conference and the hype because what is the hype now in hacking it's in in webstery or blockchain term whichever buzzword you like to use um it is the bridge hacking so i have four parts in this presentation i will start with an introduction of what bridges i will explain you what are coins tokens rap tokens how blockchains

are connected to centralized bridges and i will show you an example uh how a fun a really interesting project was hacked and how some funds were recovered i'll show you also the exploit and the tools you can use to do bridge hacking and solidity based and kind of depth hacking so um let's move on uh why would you do this anyways what's web3 what is this thing anyways uh the good thing in hacking cryptocurrencies in this webster area is that you can hack money directly and this was not available before in the web 2 area which is kind of yeah it's different in the way from web one that it is interactive but it is

commercialized it is centralized it is not really private and so on um at this space we were not able to hack money in such a direct way because for example if there was a bank hack you had to transfer the balances and you had to uh fight with the risk management team in webster if you take the coins or tokens then it's gone and you already have it in your wallet there are right now not many systems that can actually stop you or stop you from taking the balances when your exploit is successful and also um also you can you can directly access the this native system on the blockchain because that's inbuilt so all this kind of buzzwords

i'm not sure how many of you are familiar with uh with these things which are written here so uh real short introduction to um to what bridges and how it works and what we mean actually when we say blockchain it is really overused word actually in the bitcoin white paper um there was no blockchain word used so bitcoin is a decentralized peer-to-peer network uh a money system but the term was coined coin i mean uh someone figured this uh out this term a couple of years later later maybe around 2012 2011 or something so when we say blockchain most of the people mean that that's a data which is hedged and then the next block is also

data with the hash and also with the previous hash and this chain continues plus the consensus algorithm which makes sure that the nodes that are participating at the system are connecting together and have the consensus and they agree that x current has y balance and so on and plus we also have the peer-to-peer uh library inbuilt so that's the blockchain package uh and in this presentation when i speak about a blockchain that's what it means so the bridge is um in in this case and in most cases what we see as bridges these are veptu like centralized front-end back-end servers that are communicating with apis through to providers who are sending uh data to to blockchain and uh and make

transactions happen this exists so you can bridge coins from one blockchain uh to another one and the coin most often means that this is the the lowest layer of uh payment system on the blockchain and when ethereum came out with something new which is the evm which is basically the possibility that you can run code on top of a blockchain on this um this decentralized consensus-like system they put this evm layer where you can code and either solidity or viper so that is the more common one and create your own tokens so what actually is a token uh if you look at erc20 standard you will see the details of how this specific token looks like

but this is nothing else than you specifying a variable and the max supply and and adding some logic to your tokens and sending the balances from account a to b and of course as we uh went through time uh it became more and more complex and more logic was added but the core is the solidity at the token so what is a wrapped token i've wrapped token and we can go to the next slide because i said we will see a fun example how uh blockchain banana bridge can be hacked this this will show you how the system works in detail so what was happening in in this part in this hack that there is banana

blockchain it's a meme coin it's like deutsch queen but with bananas it's uh i thought it's very simple exploit it's fun to explain uh there will be some other cases at the end of this talk but um but this will be uh surely something that can get everyone started so what uh what was happening there so there is the blockchain itself with the coins they implemented a bridge where you could send your funds to so let's say you have some banana coins in the system you send it to the bridge and in exchange the bridge gives you a receipt and the receipt is generated from this this web tool-like server from the backend as i remember node.js

is running there so you can scream oh i got javascript yes most of the things are actually written in that and so it gives you a receipt and then you can use this receipt to mint wrapped tokens on other solidity-enabled systems where the banana smart contract is um is running and in this case and in the demo which i prepared i show you are the two chains now we will be uh on polygon and we will be also uh on on binance smart chain which are um which are evm enabled systems they basically forged ethereum and then then this project started to use it um so yeah that is the basic infrastructure of this uh example

and you can already start thinking about the issues you have one blockchain you have a centralized point a single point of failure and you have two smart contracts which accept receipts so if you have done some web pen testing maybe you already have some ideas of what could go wrong uh anyone with ideas if you a receipt and you have two systems you can use the same receipt yes someone

exactly yes nice so uh replay attack so that was uh what happened and someone funny but the story was really funny because on the banana chat some guys started to ask how does this bridge work and how the receipts are working and they started to uh ask the developers about that because they didn't have enough skills to figure out themselves and it turns out they were trying to hack the bridge which they succeeded so in the end we found this uh two guys uh in the chat talks with road and alibaba who were asking uh what was going on and their account was connected to the hack it took uh some time until the guys

figured out what was going on because yeah you send one banana to the bridge and then you use the receipt on both smart contracts and you had two wrapped bananas from the smart contract but it works uh the way around so when you have the wrap bananas you can exchange them back to the the blockchain coins the main bananas so that's a pretty straightforward what was happening but we still haven't looked into the code and what actually was happening on a technical level so first of all um [Music] i i won't explain the front-end back-end and and this http part level because we have seen this uh a lot already but uh what is really important in this

exploit what these guys are doing is the transaction itself and how it's built up and how you can put the receipt itself into the the transaction so what the attackers had to do is that they took an example of the transaction and that was provided by the bridge front-end and they only had to replace basically the uh assigned data the the receipt in the transaction and a little bit of tinkering so it works not just on let's say polygon but also on uh on on the other chain the binance chain so uh we can see how it works first uh you put you build up the transaction uh i show you uh python script how you can do the ecdsa

part for the uh for the receipt but the transaction you can pre pretty much put together with web3.js library you have it in node.js you also have it web3 in python so and also in rust so whichever language you can work with you can surely do it so you prepare your transaction and then you send your transaction uh to either a provider for example if you have used meta mask it's one of the most common uh wallet then what metamask is doing in the background it is using a provider that basically forwards your transaction to to a node uh let's say polygon node and on the polygon node uh it is it is checked and if everything

uh is okay and we're broadcasting on the network then it is broadcasted to two more nodes and as time passes on and blocks are being mined this is propagating everywhere on the blockchain and if your transaction was correctly crafted then this won't revert it will succeed and you will get a notification that your transaction is mined in a block and now it's finalized and you can start seeing the confirmations so let's start looking into uh what was called in this exploit um basically if you um do go through the uh use of the bridge of the banana bridge which i will show you and i really hope it will work for the first time uh

i will i will prep some bananas for you and you will see this on the only blockchain this exact uh function call when you want to meet with your receipt so the attackers uh what i explained so far they had some ideas about that but they were let's say not that bright to understand all the things so all they did is that they were like screwing around playing around and they figured out if you find this and they copy this uh to a transaction on the other chain then this um function call with the same receive data vrs is used uh so basically the vrs and and uid part is the most important from this

message and of course the recipient address and they they just copied it and put together the transaction so what do we need for uh for hacking on these systems if we want to be like a bit better than those guys or want to go a little deeper actually not too much most of the cases when we see exploits in uh ethereum based systems and front ends you just need your web to hacking tools uh you can use firefox metamask uh if you want to develop the exploit on your own machine you either use the ethereum node get or you use ganache which is a one click blockchain don't ask me why they call it ganache

and what it does with chocolate i have no idea also about truffle but with ganache and truffle you can run your own testing system uh on your on your laptop and it doesn't eat up all your processing power and all your memory so it's pretty convenient you can test your exploits on it and so on and um you can also use python um because at i would say uh if you want to automatize some like more like generating the exploits python can be kind of convenient

so let's look into the bridge so if you open polygon.banana.cc and connect your metamask to this page there is a big connect button if you open it i already connected it and you can say i am new to this uh banana and then you can send the address and then you can get uh through this menu and in the end when you um when you finish the process and connect it to the bridge then then you can get to this point where the transaction will be preferred from this front-end interface i actually haven't prepared the banana address to this so let's jump to the transaction so i can show you how it works whatever transaction

you want to have a look at you can just go on the explorer in this case in binance chain and you can see all the details and and you can pretty much figure out uh what are uh what was sent as long as you have on a smart contract level the uh the code because if you deploy a smart contract on a blockchain and you do not uh verify let's say the contract you do not upload it all you see on the blockchain is the bytecode so in this example this is the wrapped banana example i think i just take it back so in this example we can see that the guys behind the project

basically verified the solidity code that they use for the smart contract that runs on binance and you can find all the all the data here and if we want to look at uh the code and the more interesting part of the hack here is git so basically a little bit extension so normally smart contracts are immutable except if you use a proxy smart contract and you are able to replace the logic of your smart contract but still keep the data and in this case if you look at the git commit you will see that they also made an upgrade to the smart contract so not all smart contracts are actually immutable if you see this proxy setup

then you can you can see that that you are not calling basically the smart contract in a direct way it is proxied and and proxy admin can modify the address of uh of the contract that are that are reliant to the logic so but uh how how do we call it so one way to call a smart contract and uh for example if you want to do this mint with receipt call you can just connect your meta mask to the explorer and then fill the fields and send a transaction and the problem in this first of all for example in binance scan this is behind cloud flare which is pretty evil and not that nice so you probably don't want

to do this and then it probably uh connects to infor and then sends it uh to the blockchain because you are using metamosk so if you don't want to use that but you want to call a smart contract i prepared a simple example a question do you see the code

okay i am actually trying to zoom it but let's move it from here

no syntax highlight but who's using syntax highlighting anyways uh so uh contract one uh will be calling contract you that's the idea so i quickly explain you what's happening there and then we see we try tried in practice on the remix ide remix ide is a javascript based uh ide which also implements evm in your browser so you have everything that you need for smart contract development so let's say you have for example the received or whatever um information you already have a contract to deployed like the banana and you want to call it from from your contract which is the contract that you use for exploit so uh basically you just specify the uh the contract address

which you want to call that's the first thing you do and then if you specified it you can think about this like an interface and then in the second call you can already call uh the other contract and this simple example works in most of the cases um so it's pretty much that and in this uh in this line we change the other contracts uh integer value to one let's see it in solidity um question does it get recorded because then everyone can look at this later what happened because if i compile this um smart contract this uh compiles into bytecode which can be transacted to either on the blockchain or you just use it in your javascript vm

and you can deploy it inside your browser and then you are immediately able to uh call it so we have one deployed we also deploy the second we copy the smart contract address from the second to the first you set it and then we check what is the mind value which is a zero we set it to five just as a test uh yes and then now we can see it that is five i know you don't see it but you can trust me i'm an engineer uh and now we call it from the first contract and again we check it from the other one and we see that it did change so we could do the call from one

contract to another so you can take it this code as a skeleton of your exploit and use it in a way you like so what else do we have here um let me check my notes that i haven't forgot anything yeah so uh like one of the key takeaways from this is that we are at web 2.5 definitely not web 3 where everything is decentralized and really uh working quite well we are right now patching decentralized systems with centralized web 3 hex basically and when this happens then issues like this can appear so i also wanted to show you will probably see it better

so uh to those who are familiar with python this might be more friendly for you so i was mentioning that you can put together the ecdsa party vrs which is needed um for the receipt most smart contract uh logic is implementing the ec require call in a solidity but how do you prepare something for easy recover and make sure that whatever you ascend or or prepare here is an example of how you can use ec recover in solidity in this last line so this is the solidity code example and if you want to use the the correct way then you either use my code or just search for it and you will find it online but i wanted to show you an

example how you can provide the correct values uh so basically we take the message we take the private key of the so you need to generate uh an ethereum a private key and just notice the public key near that if it's uh needed um then then we will encode this uh message so it can be used by v3 which is the web 3 um python module and it pretty much does most of the work for you and you can prepare the signatures you can also use this example in your back end if you want to build a bridge please don't do that but you can pretty much use a similar example and if you want to uh use uh the

same thing the way around uh not just to generate it but recover like the ec recover from solidity then uh this this is at the end is the example on how you do it in python you pretty much just pass the hash and the vrs to to the call so that's how it looks like so basically if you want to create this receipt for yourself then you can just take the arguments and insert it into your transaction which you can put together with remix or web3js or node.js or whatever tool you are more familiar with okay

so um possible solutions uh one solution uh to fix this and that's what the banana guys did they upgraded the smart contract and they uh basically put the chain id they wrote a function for chain id which you can query from solidity that's inbuilt uh or or you can use any other uniq id uh they add this to the receipt and when you send the receipt then uh it is checked on the smart contract that the received is actually meant to be used on that network on which you are using it what can be the problem the problem can be if you have another wrapped token uh deployed there is no real uh reason why you would

uh no realistic reason why you would do that but still this is not the perfect solution but works in limited ways and the other solution i i see what is being implemented is that you use different keys uh on both sides so you can't uh you can't uh reply the same receipt because the keys are the designer keys won't be accepted by this managed contract that's again kinda heckish and then we have a an actual webster-like solution which is uh xcmp they originally wanted to call it icmp but you can guess what's the issue with that so they call this cross chain messaging protocol it is a it is a system it right now it

mostly works in substrate like think about polka dot systems and you can send messages cross chain through that protocol um without needing a central bridge or a central system now we started to see some projects coming out who are implementing decentralized bridge systems uh yes if you know the whole thing there are atomic steps and other kind of tricky ideas but xcmp is something that is implementing the the messaging between uh blockchains right now mostly substrate based blockchains and if you are into rust i really recommend you to have a look into that because that's a lot of fun and you can also write smart contracts in rust which is way more fun than solidity which is

kind of uh java javascript like lack of combination um yeah and of course the banana guys refilled the uh hot wallet and now they are in in balance so one banana versus one wrapped banana um they refilled of course after the uh bridge i so what did we see like we also had the xc infinity hack now why i want to talk about this even though i think i will be soon running out of time uh so uh why i think it's interesting because um this uh was done by um state level kind of actors and they used web to um exploit in uh that's what we know so they they're probably using web 2 kind of exploits

they bridged enough notes and that they could do the 51 percent attack uh and they took over the running bridge and basically if you uh are 51 percent or more in the system you can uh you can do whatever you want and you can push your own transactions sadly it took three six days until they realized it so they didn't have anything that was monitoring uh for possible issues which is pretty long and yeah six days six hundred meals um again why i yeah uh why i speak about this because we are far from web three being perfect but we are heading towards that uh and yeah they just got recently uh hacked on discord it was a phishing attack so even

if you have like the best blockchain project you still rely on other systems and what's the takeaway of this is that it is never enough just to audit for example the smart contract because most uh projects do that okay now we have the audit report and it's done by uh certik audit whatever companies uh like the the ones that are more focusing on the logo um and uh and then they get fished then they get uh bridged by old school techniques which i was learning when i was 13. another recent hack a couple of days ago uh that's that's a little bit trolling from me uh so sorry for the guys i know some of them uh but uh yeah it's a quantum um

proof blockchain that's what the idea is and actually the uh the blockchain base is uh is implementing post quantum algorithms uh i looked into that and it's pretty cool but the problem was that they haven't gone uh through the the audit for example on the on their bridge so what happened is they have the quantum safe system and then they are hacked with the newtonian hacker so that's uh kind of ironic in many ways and they haven't really um gave us the info how they were hacked they said this will be uh there will be a release uh on the incident response what uh i know what i heard let's say is that uh the key is

the private keys where bridge uh breached so someone got access to the private keys that were controlling the the bridge transactions so these are the final thoughts mostly so when you want to make sure that the project is secure then audit and pen test everything not just parts of it and it is not enough to go around and show your swaggy reports but the actual thing needs to be done and yeah we are hopefully heading to a more decentralized webster like systems if you uh have questions i do not know how we are with how much time we have okay uh thank you so if you want to reach out to me then you can find me directly on matrix you

also find me on twitter if you want to have your project audited hopefully not just smart construct audited but to have the full scale pentas then you can send us a meal to hello at crucial that i if you want to play a hacking game cctf then you can join the cctf matrix.org actually in 10 minutes the cctf challenge is starting which we prepared for b sites what you can get is access to the cctf yacht which will definitely which will be the final um challenge and don't want to spoil that but uh we either do it again in uh dubai or singapore uh we already agreed on that and if you do not know what cctf is is a

global hacking challenge for cryptocurrency hackers and we don't care about your name whoever you are you just play you uh get flex you collect points and then if you are in the top then you can join the finals and also in the finals you can come totally anonymously if you want you can wear hats and cover your face you don't care just enjoy have fun and learn crypto hacking in a legitimate way so thank you for listening

okay six thank you any question from anybody please

okay well the information is there so don't forget to join the hacking game challenge yourselves challenge everybody else uh we'll start the break in that case early please do note that the next presentation will be at 11 10 if you could be back for them please once again six thank you [Applause]