Jump Crypto, a cybersecurity firm dedicated to enhancing security in the crypto ecosystem, recently discovered and reported a vulnerability in Celer’s State Guardian Network (SGN). The flaw had the potential to allow a malicious validator to compromise the entire State Guardian Network and applications reliant on it, such as Celer’s cBridge. However, the issue has been promptly addressed by the Celer team, and no exploitation took place.
State Guardian Network and the Vulnerability
Celer’s State Guardian Network (SGNv2) is a Cosmos-based blockchain designed to facilitate cross-chain communication. Validators within the SGN are responsible for monitoring Celer’s on-chain contracts and forwarding incoming messages or transfers to the corresponding contracts on the destination chain.
While the on-chain smart contracts of prominent bridge providers undergo extensive scrutiny, off-chain components often lack the same level of inspection. Many bridge providers use closed-source implementations and centralized components, excluding them from bug bounty programs. Recognizing the significance of off-chain security, Jump Crypto examined the implementation of cross-chain event forwarding in Celer’s SGNv2.
The Vulnerability Exploitation Process
A user initiating a token bridge using Celer would call the “send” method of the Celer liquidity bridge contract. This function locks the tokens in the bridge contract and emits a “Send” event that details the transfer. A syncer node within the SGN network picks up this event and compiles it with other simultaneous events into a message called “MsgProposeUpdates.” The message is then sent to the SGN chain.
To ensure the authenticity of updates, Celer relies on a voting mechanism where SGN nodes verify proposed updates on-chain and vote on their outcome. The vulnerability lay in the “EndBlocker” function, which failed to prevent a validator from voting multiple times on the same update. By exploiting this flaw, a malicious validator could multiply their voting power, potentially tipping the vote in favor of an invalid or malicious update.
The Fix and Impact
After being alerted to the vulnerability, the Celer team swiftly addressed it by implementing a small addition to the “EndBlocker” function. The fix ensures that only a single vote per validator is counted, eliminating the possibility of manipulation.
The ability to apply malicious updates granted a malicious validator the opportunity to execute various fraudulent actions, including spoofing on-chain events such as token transfers, message emissions, and staking activities on Celer’s main SGN contract. Exploiting this vulnerability could result in transferring tokens to an attacker-controlled account.
Celer’s defense-in-depth measures, such as delayed processing of outgoing transfers and the ability to pause contracts, mitigate the risk of a complete theft of funds. However, it is essential to note that dApps built on top of Celer’s inter-chain messaging would remain fully exposed to such vulnerabilities.
Conclusion
The discovery and subsequent remediation of vulnerabilities in blockchain projects highlight the critical role of cybersecurity in the crypto ecosystem. The Celer team should be commended for promptly addressing the reported vulnerability in their State Guardian Network. The incident underscores the importance of thoroughly examining off-chain components and implementing robust security measures.
Going forward, Celer intends to include the SGNv2 network in its bug bounty program and evaluate the potential payout for this vulnerability report. These efforts demonstrate a commitment to strengthening the security posture of their ecosystem. As the industry continues to evolve, it remains vital for projects to prioritize security and collaborate with cybersecurity experts to identify and mitigate potential vulnerabilities.
Source: https://azcoinnews.com/jump-crypto-finds-and-fixes-exploitable-flaw-in-celers-state-guardian-network.html
