Full Report
Mt Pelerin is a financial intuition in Switzerland that leverages the blockchain to operate. The smart contract ComplianceRegistry is responsible for stores identity information linked to an address and the storage history of the address. This Compliance Registry is managed by trusted intermediaries, such as KYC/AML providers. Based on the tokens used provider, the registry will return the compliance information of the token. The function cancelOnHoldTransfer can be called to cancel transfers for a trusted intermediary to get their tokens back. This takes in a trusted intermediary and an array of transactions to cancel. There is a loop that verifies that the transfer.from is the same as msg.sender for the transaction to cancel. While looping over the array, it does not check to see if the transaction has been cancelled. Since the cancelled funds are sent back to the user at the end of each transaction, infinite money can be stolen using this technique. The transactions would be cancelled, but it's at the end of the loop. So, to exploit this, the same transaction needs to be added multiple times to steal all of the money. Overall, a good bug that seems to be common when looping over elements that own money.
Analysis Summary
# Vulnerability: Mt Pelerin Double Transaction Cancellation / Infinite Refund
## CVE Details
- **CVE ID**: Not Assigned (DeFi/Smart Contract vulnerability)
- **CVSS Score**: 9.1 (Critical) - *Estimated based on total loss of funds*
- **CWE**: CWE-670: Always-Incorrect Control Flow Implementation; CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products**: Mt Pelerin Bridge Protocol; `ComplianceRegistry.sol` smart contract
- **Versions**: bridge-protocol-v2 (Prior to commit `e9532504bc1495769e804bfc9fb2f3d21e31a977`)
- **Configurations**: Smart contracts utilizing the `cancelOnHoldTransfers` function to manage intermediary-held tokens.
## Vulnerability Description
The flaw exists within the `cancelOnHoldTransfer` function of the `ComplianceRegistry` contract. This function allows users to cancel pending transfers and reclaim their tokens. The function accepts an array of transaction IDs to process in a `for` loop.
**The Technical Gap:** While the loop verifies that the `msg.sender` owns the transaction, it fails to check the "status" of the transaction *within the same execution block* before processing a refund. Because the contract only updates the state or completes the loop after processing each element, an attacker can pass an array containing the same transaction ID multiple times. The contract will process each entry as a valid "on-hold" transfer and refund the token amount for every instance in the array, leading to a drain of the contract's total liquidity.
## Exploitation
- **Status**: PoC available (Disclosed via Immunefi bug bounty)
- **Complexity**: Low
- **Attack Vector**: Network (Smart Contract Interaction)
## Impact
- **Confidentiality**: None
- **Integrity**: Critical (Unauthorized modification of contract balances)
- **Availability**: High (Potential draining of all contract-held funds)
## Remediation
### Patches
- The vulnerability was addressed in the `bridge-v2` repository.
- **Fix**: Update to commit `e9532504bc1495769e804bfc9fb2f3d21e31a977`. The fix introduces a requirement check to ensure a transaction’s status is not already "Cancelled" before allowing the refund logic to proceed.
### Workarounds
- No manual workarounds provided; users must interact with the patched version of the protocol.
## Detection
- **Indicators of compromise**: Multiple `TransferCancelled` events emitted in a single transaction hash, specifically referencing the same `transferId`.
- **Detection methods**: Security auditors should use static analysis tools (like Slither or Mythril) to flag loops that perform external calls or state changes without verifying state flags at the start of each iteration.
## References
- **Vendor Advisory**: hxxps://github[.]com/MtPelerin/bridge-v2/commit/e9532504bc1495769e804bfc9fb2f3d21e31a977
- **Project Site**: hxxps://www[.]mtpelerin[.]com/
- **Original Write-up**: hxxps://medium[.]com/immunefi/mt-pelerin-double-transaction-bugfix-review-503838db3d70