Security Researcher Finds Critical Vulnerability on Polkadot Parachains

According to The Block, a security researcher by the name of pwning.eth uncovered a software vulnerability in three Ethereum-compatible parachains on the Polkadot network: Moonbeam, Astar Network, and Acala. The flaw may have resulted in a loss of up to $200 million.

Frontier, a program used for “wrapping” native tokens on the three blockchain projects on the Polkadot network, was discovered to have a flaw in June. Initially found by Pwning.eth on June 27, the severe defect in Immunefi, a bug-hunting platform focused on cryptocurrencies, was just recently made public.

An Immunefi spokesperson said a weakness uncovered by pwning.eth might have let hackers steal over $200 million across Moonbeam, Astar Network, and Acala. According to the representative, a defect in all three would have allowed bad actors to create wrapped native tokens.

On June 27, @PwningEth found a crit bug that affected @MoonbeamNetwork @AstarNetwork @AcalaNetwork and could’ve led to a loss of $200m+.

But he saved the day and got a $1 million payout.

Thanks to @paritytech for their contribution to the reward!https://t.co/O9SQKATfPC

— Immunefi (@immunefi) January 4, 2023

In crypto, wrapping transforms the native crypto assets of a blockchain into tokens that apps can more easily support. The native tokens are often held in escrow by a smart contract, which then issues the wrapped tokens to the user. Wrapped tokens serve as a stand-in for their native counterparts, allowing them to be exchanged and used on platforms that don’t necessarily support the underlying asset. While token wrapping might improve the usefulness and liquidity of some assets, it also exposes them to new risks, such as smart contract vulnerabilities.

According to Immunefi’s calculations, the total value of the vulnerable assets across all three parachains was close to $200 million. Before any bad actors could exploit the flaw, the teams behind the three parachains worked to solve it and delivered an emergency patch, so no funds was lost.

Through Immunefi, Moonbeam and Astar, two companies with active bug-prize programs, granted a $1 million bounty to pwning.eth. Additionally, despite not having a bug bounty with Immunefi, Parity, the creators of the Frontier Library, have opted to pay $250,000 towards the $1 million award. In early 2022, pwning.eth was awarded a $6 million bounty for detecting a vulnerability in Aurora, an Ethereum Virtual Machine compliant blockchain for NEAR Protocol. This vulnerability prevented the loss of almost 70,000 ETH worth $210 million.

Could wrapped tokens like WETH be forced Insolvent? This bug I reported in frontier EVM can depeg the native wrapped tokens in @MoonbeamNetwork and @AstarNetwork. $150M+ funds in @Polkadot ecosystem were secured! https://t.co/eiocgChpaA

— pwning.eth (@PwningEth) December 2, 2022