PolyNetwork Bug Review And Patch Analysis

  • Review Target: https://github.com/polynetwork/eth-contracts/pull/12/files
  • Review Period: August 13, 2021 — August 15, 2021
  • Issue Description: PolyNetwork is a cross-chain interoperability bridge (that allows a variety of chains to flexibly interact with each other and transfer arbitrary data along with carrying out cross-chain transactions). Arguably one of the largest cross-chain protocols in terms of Total Value Locked (TVL) and liquidity, it has so far supported a number of chains, including Ethereum, Binance Smart Chain (BSC), Polygon, Heco, Ontology, etc. To facilitate the implementation, the protocol has designed a number of cooperative components (each with its own roles and responsibilities), such as Relay Chain, Off-Chain Relayer, Keeper, as well as various smart contracts deployed on supported blockchains. In the following, we mainly focus on the smart contracts deployed on Ethereum as reflected in our review target.
Figure 1: EthCrossChainManager::verifyHeaderAndExecuteTx()
Figure 2: The Cross-Chain Transaction Comparison in PolyNetwork: Normal vs. Exploited
  • Issue Fixup: The PR-12 is proposed to address the above issue by
    implementing a much-needed whitelist feature. This whitelist feature in essence defines the list of administrator-approved contracts as well as the associated methods that are then applied to validate the above member fields, especially toContract and method, to thwart any manipulation. For extra precaution, we also make the suggestion to define a whitelist that may be allowed to call the crossChain() function to initiate a cross-chain transaction. After discussion, the team takes the suggestion and includes it a part of this PR-12.

    To conclude, the proposed PR-12 achieves the intended goal by fixing the loophole in the original implementation. Once merged, it is ready to be deployed to upgrade (and fix) the deployed version.
  • Disclaimer: This is an informal security review, not a full security audit, and it does not give any warranties on finding all possible security
    issues of the given smart contract(s), i.e., the evaluation result does not guarantee the nonexistence of any further findings of security issues.
    Furthermore, we always recommend proceeding with several independent full audits and a public bug bounty program to ensure the security of smart contract(s). Lastly, this security review report should not be used as investment advice.



A Blockchain Security Company (https://peckshield.com)

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store