Bug Bounty Program / Reports and Rewards

Aurora Bug Bounty Program / Reports and Rewards

A summary of Aurora’s bug reports and rewards, from the start of the Bug Bounty Program with Immunefi, April 2022, until now, September 2022.

This list will be periodically updated.

Infinite ETH Inflation Vulnerability In Aurora Engine

Picture created by Immunefi in honor of the hacker.

Hacker: pwning.eth

Hacker’s reward: $6.000.000 USD*

Immunefi fee: $600.000 USD**

Reward paid: May-17-2022

On April 26, 2022, Aurora Labs received a bug report with critical severity affecting the Aurora Engine through its Immunefi’s bug bounty program.

The bug report described an inflation vulnerability that, if exploited, would allow it to mint an infinite supply of ETH in the Aurora Engine. That artificial ETH could then have been used to drain all ETH in the bridge contract on Ethereum (more than 70k ETH at the time of the report, about $204M). Furthermore, the artificial ETH would also allow to drain all tokens from the liquidity pools containing ETH on Aurora and NEAR, also putting these tokens at risk.

Swiftly after the bug has been confirmed a patch was developed and deployed on both mainnet and testnet.

We thank pwning.eth for responsibly disclosing the vulnerability and great cooperation!

To find out more, read our blog post:

Additional sources:

*Hacker’s reward was paid in the form of 1.725.000 AURORA tokens, linearly released over a period of 1 year via service Sablier.

**Immunefi fee was paid in the form of 140.550 AURORA tokens.

ft_on_transfer handler allows theft of funds

Hacker: anonymous

Hacker’s reward: $1.000.000 USD*

Immunefi fee: $100.000 USD**

Reward paid: Jul-18-2022

The flow for bridging NEP-141 tokens from NEAR into Aurora as ERC-20 tokens could have been misused by an attacker to steal ETH from any address on Aurora.

The problematic part of the NEP-141 bridging flow is the option to charge a fee (denominated in ETH) to the recipient. The recipient is never required to approve this fee, and due to the permissionless nature of the bridge, anyone can bridge over any token.

Since the fee was never used legitimately by the bridge front-end, we simply removed the logic which sets a non-zero fee.

We thank anonymous for responsibly disclosing the vulnerability!

To find out more, read our blog post:

Additional sources:

*Hacker’s reward was paid in the form of 600.000 AURORA tokens, linearly released over a period of 1 year via service Sablier.

**Immunefi fee was paid in the form of 129.865 AURORA tokens for both this case and ‘Withdraw funds from EthCustodian without burn on Aurora side’.

Withdraw funds from EthCustodian without burn on Aurora side

Hacker: anonymous

Hacker’s reward: $1.000.000 USD*

Immunefi fee: $100.000 USD**

Reward paid: Jul-19-2022

An attacker could have withdrawn assets from the Rainbow Bridge lockers on Ethereum without burning the corresponding assets on the NEAR/Aurora side of the bridge. This theft of funds could prevent legitimate user withdrawals in the future (if there were not enough funds left in the locker).

As a short-term solution we implemented a check in the engine which forbids output that could be parsed as a bridge withdrawal event (except from the actual withdrawal function of course). This closes the vulnerability, but is a little hacky. The long term solution (which the bridge team is working on) is to have the bridge operate on NEAR proofs of state (i.e. actual token balances) instead of proofs of output from transactions.

We thank anonymous for responsibly disclosing the vulnerability!

To find out more, read our blog post:

Additional sources:

*Hacker’s reward was paid in the form of 580.000 AURORA tokens, linearly released over a period of 1 year via service Sablier.

**Immunefi fee was paid in the form of 129.865 AURORA tokens for both this case and ‘ft_on_transfer handler allows theft of funds’.

Several reports

Hacker: nnez

Hacker’s reward: $50.000 USD*

Immunefi fee: $5.000 USD**

Reward paid: Sep-27-2022

We have received a few reports from one hacker, where two of those were particularly interesting. Interesting, because they were exactly the same critical severity issues that were reported to us previously by 2 different hackers.

First one ‘Stealing ETH from any accounts on Aurora by triggering ft_on_transfer’ was reporting the same issue as ‘ft_on_transfer handler allows theft of funds’.

This was submitted with us just 4 days after the original report.

Second one ‘A receipt to withdraw ETH from EthCustodian contract can be forged using get_code function, allowing attacker to drain all the funds on the contract’ was a duplicate report to ‘Withdraw funds from EthCustodian without burn on Aurora side’. Submitted only 6 days after the original report.

If nnez has reported these issues just two weeks earlier, he might have been eligible for AURORA tokens in the value of $2.000.000 USD.

For all his effort and skill, we have decided to award nnez $50.000 USD and hope he will continue examining our code and inform us on any potential outstanding issues!

*Hacker’s reward was paid in the form of 43.860 AURORA tokens.

**Immunefi fee was paid in the form of 4.545 AURORA tokens.

Other reports

Hacker: various hackers

Reward: $11.000 USD*

We have received various additional reports that were rewarded according to the rules of our Bug Bounty Program, or appropriately to their significance.

*Rewards and fees mainly paid in AURORA tokens, with few exceptions paid in NEAR.

6 Likes