Jump Crypto finds double-voting vulnerability in Celer’s SGN
The bug would have allowed malicious validators to compromise the network and applications that rely on it, including Celer’s cBridge.
Web3 investor and developer Jump Crypto has identified a vulnerability in Celer’s State Guardian Network (SGN) that would allow malicious validators to compromise the network and applications dependent on it, including Celer’s cBridge.
According to Jump Crypto’s postmortem report, validators were allowed to vote more than once on the same update due to a bug in the SGN EndBlocker code. By allowing validators to vote multiple times, malicious actors could multiply their voting power to approve harmful updates. The report explained:
“The [EndBlocker] code is missing a check that prevents a validator from voting on the same update twice. A malicious validator could exploit this by voting multiple times on the same update, effectively multiplying their voting power and potentially tipping the vote in favor of an invalid or malicious update.”
Celer is a Cosmos-based blockchain that supports cross-chain communication. Jump reviewed the script after Celer released parts of the off-chain SGNv2 code on GitHub. The protocol’s team was then privately notified about the vulnerability, which has been fixed without any malicious exploitation.
As the report points out, the vulnerability would give a malicious validator a “wide range of options,” including the ability to spoof arbitrary on-chain events such as bridge transfers, message emissions or staking and delegation on Celer’s main SGN contract.
However, Celer has defenses to avoid a complete theft of bridge funds. The report highlights three mechanisms: a delay triggered by the bridge contract on transfers over a certain value, a volume-control mechanism limiting the value of tokens that can be extracted within a short period and an emergency halt of contracts that would be triggered once malicious transfers cause an under-collateralization event.
Despite the security guardrails, the protocol would not be fully protected. According to Jump’s report, the transaction limits only apply per chain and token, and “due to the large number of supported tokens and chains, it seems realistic that an attacker could exfiltrate tokens with a value of ~$30M before the contracts are halted,” it said.
The amount represents approximately 23% of Celer’s current total value locked of $129.28 million at the time of writing, according to DefiLlama.
“It is important to note that these built-in mechanisms only have the power to protect Celer’s own bridge contracts. dApps built on top of Celer’s inter-chain messaging would be fully exposed to these vulnerabilities by default,” the report continued.
Celer offers a $2 million bug bounty for vulnerabilities in its bridge. However, bounties do not cover off-chain bugs such as the one found in the SGNv2 network.
Jump said it has been in discussion with the protocol about adding the SGNv2 network to its bug bounty program. A potential payout for Jump’s report is under evaluation by Celer’s team.
Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable