Skip to content

Reproduction of the Polygon ERC20 Bridge ($850M) Double Spend Hack

Notifications You must be signed in to change notification settings

xanderdunn/polygon_hack_repro

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Polygon (Matic) Hack

  • $2M white hat hacker bounty paid
  • Writeup here
  • The commit that fixes it is here
  • It was merged here. Latest should not exhibit the bug. 718bf86fada5dbd2fedcea0184a59921a625f356 should exhibit the bug.

Polygon Setup on Ubuntu 18.04

  • git clone https://github.com/maticnetwork/contracts.git matic_contracts
  • cp DoubleSpendRepro.test.js matic_contracts/test/integration/root/predicates/
  • cd matic_contracts
  • git checkout 718bf86fada5dbd2fedcea0184a59921a625f356 This is the last commit before it was fixed.
  • Install dependencies: sudo apt install gcc g++ make python
  • Install nvm
  • nvm install 8.11.3
  • nvm use 8.11.3
  • node --version should be 8.11.3
  • npm install
  • Install Docker
  • Fix Docker permissions here
  • Compile the test network: npm run template:process -- --bor-chain-id 80001
  • npm run truffle:compile, should see Compiled successfully using:

Polygon Run

  • Run the main chain: npm run testrpc
  • Run the matic sidechain: npm run bor:simulate, or stop an existing matic sidechain: npm run bor:clean
  • Deploy the contracts: npm run truffle:migrate
  • Set the command to only run our unit test, modify npm test in package.json to execute: truffle test test/integration/root/predicates/DoubleSpendRepro.test.js --migrations_directory migrations_null
  • Run tests: npm test. Note that running npm test runs the migration.
  • You will see this output:
  Contract: ReproduceDoubleSpendBug
    reproduceDoubleSpendBug
Deposit amount: 10000000000000000000
Before transfer root tokens: 0
Before transfer child tokens: 0
Before deposit root tokens: 10000000000000000000
Before deposit child tokens: 0
After deposit root tokens: 0
After deposit child tokens: 10000000000000000000
After withdraw root tokens: 0
After withdraw child tokens: 0
Branch mask:0x0080
After exit transaction root tokens: 0
After exit transaction child tokens: 0
After process exit root tokens: 10000000000000000000
After process exit child tokens: 0
Branch mask:0x0180
After exit transaction root tokens: 10000000000000000000
After exit transaction child tokens: 0
After process exit root tokens: 20000000000000000000
After process exit child tokens: 0
Branch mask:0x0280
After exit transaction root tokens: 20000000000000000000
After exit transaction child tokens: 0
After process exit root tokens: 30000000000000000000
After process exit child tokens: 0

The above successfully shows the attack where the user has withdrawn their tokens multiple times on the same deposit.

TODO

  • It takes me 2min33s to run my test, how do I improve this iteration time? It's caused by truffle's migrations and deploys on every run.
  • Why do I have to disable the bor chain id check in Root.sol? It's something to do with the test net setup
  • Why do I not have to wait the 7 day challenge period to get the tokens back on the Ethereum side in my unit testing? Is something disabling it in the test net?

About

Reproduction of the Polygon ERC20 Bridge ($850M) Double Spend Hack

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published