Full Report
Celer is a blockchain protocol that enables cross-chain communication. It is built on top of Cosmos with the Stage Guardian Network (SVNv2). Validators of SGN are responsible for monitoring the on-chain contracts then forwarding them to the destination chains. The author points out that the on chain code is usually public while the internal infrastructure is not. The bridge works by using send to one of the liquidity bridge contracts. This locks the tokens on that bridge then emits a Send event to describe the details of the transfer. This will be picked up by a SGN node to call MsgProposeUpdates to update the contract. To prevent malicious updates, there is a voting mechanism in place. A node votes on the outcome of the proposal by sending MsgVoteUpdates, which consists of yes and no for active proposals. The sync module takes in votes and adds them to a structure. At the end of the block, the function iterates through the updates to ensure that all items passed with a 2/3 vote. The EndBlocker function does not validate if somebody has voted multiple times. Using this, an attacking validator could vote multiple times. Yikes! Breaks the entire voting system. This results in directly lost funds, since they can spoof onchain events such as bridge transfers and much more. Celer has several mechanisms in place to prevent complete stealing of all the funds. First, there is a delay for large values on the bridges. This Volume Control contract will give time for the developers to act. Secondly, the contracts are pausable, with automatic triggers to stop contracts. Overall, a fairly simple bug in complicated architecture.
Analysis Summary
# Vulnerability: Double Voting Logic Flaw in Celer State Guardian Network (SGNv2)
## CVE Details
- **CVE ID**: Not Assigned (Reported via private disclosure)
- **CVSS Score**: Estimated 9.1 (Critical) - *Based on the ability to spoof consensus and exfiltrate funds.*
- **CWE**: CWE-670: Always-Incorrect Control Flow Implementation (specifically logic error in vote tallying)
## Affected Systems
- **Products**: Celer State Guardian Network (SGNv2)
- **Versions**: Versions prior to May 2024 (Specific commit hashes: `80021bac14e908764ef900f90c85205d47654e04` and earlier)
- **Configurations**: Cosmos-based Proof-of-Stake (PoS) infrastructure used for monitoring cross-chain event logs.
## Vulnerability Description
The SGNv2 "Sync" module contains a critical logic flaw in how it handles validator votes for proposed cross-chain updates. When a validator monitors an on-chain event (like a token bridge `Send`), it proposes an update via `MsgProposeUpdates`. Other validators then submit `MsgVoteUpdates` ("Yes" or "No").
The vulnerability exists in the `EndBlocker` function of the sync module. While the system collects votes, the function responsible for tallying them fails to verify if a validator has already voted on a specific proposal. An attacking validator could submit multiple `MsgVoteUpdates` messages for the same proposal within a single block. The system would count each submission toward the 2/3 majority requirement, allowing a single malicious validator to bypass the decentralized consensus mechanism entirely.
## Exploitation
- **Status**: PoC available (developed by Jump Crypto); Not exploited in the wild.
- **Complexity**: Low (Requires a bonded validator node, but the logic error is trivial to trigger).
- **Attack Vector**: Network (Messages sent to the SGN blockchain).
## Impact
- **Confidentiality**: None
- **Integrity**: Critical (Attackers can spoof bridge transfers and finalize fraudulent cross-chain messages).
- **Availability**: High (Can lead to chain halt or emergency suspension of bridge contracts).
## Remediation
### Patches
- The Celer team has released a patch for the SGNv2 node software that implements a check to ensure each validator's vote is only counted once per proposal. Users and validators should ensure they are running the latest version of the SGNv2 binary.
### Workarounds
- **Volume Control**: Celer utilizes a `VolumeControl.sol` contract on-chain that limits the total value of tokens extracted within a specific timeframe.
- **Contract Pausing**: The bridge employs a "Pauser" mechanism that can be triggered by governors or automatic under-collateralization detection to halt operations during an active exploit.
## Detection
- **Indicators of Compromise**: Multiple `MsgVoteUpdates` from the same validator address targeting the same `update_id` within the same block or epoch.
- **Detection Methods**: Monitoring SGNv2 blockchain telemetry for abnormal voting patterns where the number of votes exceeds the number of active validators.
## References
- Celer Network Official: [https://celer.network/](https://celer.network/)
- SGNv2 Repository: [https://github.com/celer-network/sgnv2](https://github.com/celer-network/sgnv2)
- Vulnerability Report: [https://www-webflow.jumpcrypto.com/resource-category/blogs](https://www-webflow.jumpcrypto.com/resource-category/blogs)
- Celer Smart Contracts: [https://github.com/celer-network/sgn-v2-contracts](https://github.com/celer-network/sgn-v2-contracts)