An update to the initial post with a summary of Aurora’s bug reports and rewards.
Date range: September 2022 - September 2023
Infinite ETH/Token Minting Vulnerability
Hacker: Goohong Jung (cybermong)
Hacker’s reward: $800.000 USD*
Immunefi fee: $80.000 USD**
Reward paid: Sept-08-2022
The bug report identifies a vulnerability in the Deposit process that allows an attacker to reuse a “proof” value and mint tokens infinitely. The vulnerability arised from a flaw in verifying the “proof” value using a sha256 hash, enabling an attacker to bypass this check by modifying the log_index value. Subsequently, the attacker could drain all tokens in the EthCustodian contract.
Kudos to Goohong Jung (cybermong) for responsibly disclosing the vulnerability and demonstrating remarkable cooperation
*Hacker’s reward was paid in AURORA tokens, linearly released over a period of 1 year via service Sablier.
**Immunefi fee was paid in AURORA tokens
Aurora Engine Call Stack Overflow
Hacker: @chai
Hacker’s reward: $1000 USD*
Immunefi fee: $100 USD**
Reward paid: Nov-18-2022
The bug report identifies an Integer Overflow vulnerability within the Aurora Engine, specifically in the record_dynamic_cost function within the Sputnik EVM code base. The vulnerability had the potential to cause the Aurora Engine EVM to crash if exploited by an adversary.
We thank @chai for responsibly disclosing the vulnerability and great cooperation!
*Rewards paid in USDT.
**Fee paid in Aurora tokens.
NearBridge does not check for contract code size at `target` of `AdminControlled.adminDelegatecall`
Hacker: @pcaversaccio
Hacker’s reward: $500 USD*
Immunefi fee: $50 USD*
Reward paid: Nov-30-2022
The bug report highlights a vulnerability related to how the EVM treats calls to non-existing contracts (Externally Owned Accounts - EOA) as always successful and how Solidity adds an extra check using the extcodesize opcode for external calls. However, this check is absent in low-level calls, like .call(), .delegatecall(), .staticcall(), .send(), and .transfer().
We thank @pcaversaccio for responsibly disclosing the vulnerability and great cooperation!
*Rewards and fees paid in AURORA tokens.
Multiple Stored XSS and SSRF vulnerabilities
Hacker: United Global Whitehat Security Team
Hacker’s reward: $50000 USD*
Immunefi fee: $5000 USD*
Reward paid: Dec-01-2022
The bug report highlights multiple web2 vulnerabilities within the RAINBOWBRIDGE.APP and AURORA applications, arising from misconfigurations in the NextJS library across various domains. These vulnerabilities can directly impact web3 assets and users, potentially leading to severe exploits, including Crypto Funds Theft, Web3 wallet takeover, Spoofed Transactions, Stored Cross Site Scripting, CSS Keylogging, defacing/serving malicious pages, and advanced phishing campaigns.
Hats off to United Global Whitehat Security Team who spotted these bugs! Thanks a bunch for helping us tighten the security screws
*Rewards and fees paid in AURORA tokens.
Unexpected Revert & Overflow in modexp precompile
Hacker: BlockSec
Hacker’s reward: $10000 USD*
Immunefi fee: $1000 USD*
Reward paid: Jan-30-2023
Two bug reports were submitted:
- The bug report identifies an overflow defect in the modexp function of the Aurora engine, specifically when the length of the exponent (e_len) is at its maximum value (usize::MAX). The overflow occurs during calculation when e_start exceeds 96, presenting a potential security vulnerability.
- The bug report raises an issue related to a precompiled contract (0x8) responsible for elliptic curve calculations. The report identifies a discrepancy in the contract’s behavior between versions 2.7.0 and 2.6.1, specifically regarding the handling of the point (0,0) based on a mathematical formula from the Ethereum Yellow Paper.
A huge thank you to @BlockSec for responsibly reporting the vulnerability and for an outstanding cooperation!
*Rewards and fees paid in AURORA tokens.
Phishing risk introduced by broken links
Hacker: @AgentJacker
Hacker’s reward: $1000 USD*
Immunefi fee: $100 USD*
Reward paid: Jan-25-2023
The bug report highlights a broken link on the NEAR Protocol announces the availability of the NEAR token on Ethereum - Aurora Blog page, leading to ruler.fyi. The broken link poses a potential phishing risk, as attackers could exploit it to deceive unaware users. The report emphasizes the significance of addressing this issue, as it impacts a core system. The reporter also mentions the availability of the domain “ruler.fyi” for purchase, presenting a low-cost opportunity for potential phishing exploits.
A special thanks to @AgentJacker for responsibly disclosing the vulnerability and for a superb cooperation.
*Rewards and fees paid in AURORA tokens.
Phishing risk introduced by content injection
Hacker: @adge
Hacker’s reward: $5000 USD*
Immunefi fee: $500 USD*
Reward paid: Mar-27-2023
The reporter has identified a content modification vulnerability in the help scout system associated with https://rainbowbridge.app. The vulnerability allows the insertion of malicious text into the system, which could be used to spoof content via email to users of Aurora, potentially leading to phishing attempts.
Kudos to @adge for responsibly disclosing the vulnerability and demonstrating remarkable cooperation!
*Rewards and fees paid in AURORA tokens.
Several reports on HackenProof
Lack of rate limiting on email changes
Hacker: @cyberarmy101
Hacker’s Reward: $100 USD*
HackenProof fee: $7 USD
Reward paid: May-30-2023
Spam Attack: A malicious actor can send a bulk of emails to the victim’s address through a flaw in the ‘change email’ function on the user dashboard. Potential fraud or some sort of social engineering
Email disclosure vulnerability in Aurora+
Hacker: @Me9187
Hacker’s Reward: $2000 USD*
HackenProof fee: $140
Reward paid: May-04-2023
The bug report indicates a security vulnerability in the authentication and authorization system used by the dApp Aurora.Plus. The application utilizes Supabase for these purposes. The issue pertains to the JWT (JSON Web Token) generated upon successful registration and login, which contains incorrect permissions. Specifically, the JWT allows unauthorized access to the ‘referral_counts_only_staked’ supabase object, which holds email addresses of platform users, posing a significant privacy and security risk.
Multiple subdomain takeover vulnerabilities
Hacker: @holybugx
Hacker’s Reward: $1000 USD* + $1000 USD*
HackenProof fee: $140
Reward paid: Sept-04-2023 and Sept-27-2023
The report highlights a security vulnerability discovered during a reconnaissance of the Aurora.Plus dApp main page, where references to aurora.dev were found in the page footer. Further investigation revealed that rde.aurora.dev was pointing to an unclaimed AWS elastic IP, indicating a vulnerability to subdomain takeovers. Subdomain takeovers are classified as high-risk due to their potential for severe exploitation. The potential impacts of a subdomain takeover include cookie theft, stored XSS, phishing, and hosting malicious content. These consequences could significantly compromise user security and data integrity.
Hats off to the vigilant hackers who spotted these bugs! Thanks a bunch for helping us tighten the security screws
*Rewards and fees paid in AURORA tokens.
An undercharging of EVM gas relative to the amount of computation required for certain inputs to the modexp precompile
Hacker: Guido Vranken
Hacker’s reward: $6200 USD*
Reward paid: Aug-17-2023
The bug would have resulted in Aurora downtime for average users. It only affected Aurora RPC, not the on-chain contract so it would be an infrastructure outage caused by a DOS attack.
The bug itself was an undercharging of EVM gas relative to the amount of computation required for certain inputs to the modexp precompile. This means an attacker could force a node (e.g. by eth_call) to spend many more CPU cycles than expected from the given gas limit. This bug impacted almost all EVM implementations (including geth), and probably has been present since modexp was first introduced. The fix for the bug is to use better algorithms in the modexp implementation.
We thank Guido Vranken for responsibly disclosing the vulnerability and great cooperation!
*Reward paid in AURORA tokens.
Other reports
Hacker: various hackers
Reward: $2.000 USD*
We have received various additional reports that were rewarded according to the rules of our Bug Bounty Program, or appropriately to their significance.
Big shoutout and a massive thank you to the awesome folks who flagged these bugs! Your keen eye helps keep us all safer online
*Rewards paid in AURORA tokens.