BUG: Backdoor Execution possible #72
Comments
|
Sharing the discussion thread here from LZ team & community: |
Issue (still open)"Any malicious bridge pretending to be a genuine, if could somehow (showcasing different packets sending from multiple contracts) get a potential token contract (with high price value) get themselves added into their OApp/OFT/ONFT's DVN Security stack, the project suffers potentially billions of dollars of losses." Potential solution"LZ should introduce (sooner) their own LZ token and create kind of blockchain validators-like ecosystem with incentivization. That way it won't be so scattered." |
|
Reported to Bug Bounty program as well. |
|
Discord chat post Bug Report submission: Currently, there are 2 main issues/disclaimer for developers using LZ approach as cross-chain solution:
|
|
This has been hashed out on discord and is not a vulnerability. Oapp developers must choose the amount of security they want for their use case and pay for said security. |
Description
A trusted bridge between 2 contracts (on 2 different chains) could verify & execute an encoded message without it actually been sent from the source chain. For instance, Alice (from Nova) didn't send wTSSC to itself/Bob (on Sepolia), but the receiver (Alice/Bob) received because of Bridge's verification and execution, given the OApp chose the set of malicious DVNs.
One can watch this video 🎬 as a demo to understand.
In the video, the bridge admin (potential hacker) just executed 2 messages without it actually been sent from the source chain.
Old videos to get more context:
There are 2 repos where u can find the code:
The text was updated successfully, but these errors were encountered: