-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Backdoor Execution possible #72
Comments
Issue (still open)"Any malicious bridge pretending to be a genuine, if could somehow (showcasing different packets sending from multiple contracts) get a potential token contract (with high price value) get themselves added into their OApp/OFT/ONFT's DVN Security stack, the project suffers potentially billions of dollars of losses." Potential solution"LZ should introduce (sooner) their own LZ token and create kind of blockchain validators-like ecosystem with incentivization. That way it won't be so scattered." |
Reported to Bug Bounty program as well. |
This has been hashed out on discord and is not a vulnerability. Oapp developers must choose the amount of security they want for their use case and pay for said security. |
Description
A trusted bridge between 2 contracts (on 2 different chains) could verify & execute an encoded message without it actually been sent from the source chain. For instance, Alice (from Nova) didn't send wTSSC to itself/Bob (on Sepolia), but the receiver (Alice/Bob) received because of Bridge's verification and execution, given the OApp chose the set of malicious DVNs.
One can watch this video 🎬 as a demo to understand.
In the video, the bridge admin (potential hacker) just executed 2 messages without it actually been sent from the source chain.
Old videos to get more context:
There are 2 repos where u can find the code:
The text was updated successfully, but these errors were encountered: