Full Report
Two ways that things can be hacked in blockchain-land: attacking code running on the blockchain or attacking the blockchain itself. While auditing code for the EVM implementation for Polkadot called Frontier. Frontier executes the Ethereum smart contracts but uses the Polkadot substrate as the ledger; differences in these can cause major problems. Ethereum stores integers as 256 bits but Polkadot stores them on the ledger as 128 bit. This is done via truncating the number in Rust. The balance can never be larger than 128 bit so what's the problem? The msg.value of a transaction has the entire 256 bit value controlled by a user, even if it is an invalid amount to send. This bypasses the verification of the usage of funds within the ledger math but results in it not adding funds to our account. What if a contract used the full msg.value value though? This is the key to the bug. Code written in Solidity will use the full msg.value while the ledger only uses the 128 bits. So, we can call something that uses native ETH, like WETH, and trick it into sending us something that we shouldn't own. The exploit payload is awesomely simple: weth.deposit{value : 1 . This will deposit an insane amount of WETH into our account without spending any actual ETH. From the authors estimates, over 150M dollars were at risk. Even though Moonbeam, Astar and Polkadot all had 1M bug bounty programs each, they decided to reward a total of 1M and split the bounty. Kind of a bummer for the author of the post but a million is an insane amount of money. Overall, amazing bug discovery and exploitation of the issue.
Analysis Summary
# Vulnerability: Large Integer Truncation in Frontier EVM Implementation
## CVE Details
- **CVE ID**: Not explicitly assigned (Common in blockchain-specific design flaws)
- **CVSS Score**: 10.0 (Calculated estimate based on Critical impact)
- **CWE**: CWE-197 (Numeric Truncation Error), CWE-681 (Incorrect Conversion between Numeric Types)
## Affected Systems
- **Products**: Blockchain networks using the **Frontier** EVM compatibility layer on Substrate.
- **Versions**: Versions of Frontier prior to the June 2022 security updates.
- **Configurations**: Any Parachain or Substrate-based chain (e.g., **Moonbeam**, **Astar**) that executes Ethereum smart contracts where the ledger (Rust) uses 128-bit integers for balances while the EVM allows 256-bit `msg.value` inputs.
## Vulnerability Description
The flaw stems from a data type mismatch between the Ethereum Virtual Machine (EVM) and the Polkadot Substrate ledger.
- **Ethereum/EVM**: Uses 256-bit integers (`U256`) to represent currency values.
- **Substrate/Rust**: Uses 128-bit integers (`U128`) for the underlying ledger balances.
When a user initiates a transaction with a `msg.value` exceeding $2^{128}-1$, the Frontier implementation truncated the 256-bit value into a 128-bit value to perform the ledger update. While the Substrate ledger correctly rejected the "actual" transfer of funds because the value was invalid/overflowed, the **EVM environment still recognized the full 256-bit value**.
This discrepancy allowed an attacker to call a smart contract (such as a WETH `deposit()` function) with a massive `msg.value`. The smart contract would register the full 256-bit amount to the user's internal balance, even though the underlying native gas/tokens were never actually deducted from the attacker's wallet.
## Exploitation
- **Status**: PoC available; disclosed via white-hat bug bounty (Immunefi).
- **Complexity**: Low
- **Attack Vector**: Network (Smart Contract Interaction)
- **Payload Example**: `weth.deposit{value: 1 << 128 + 1}()`. This would result in the ledger seeing a deposit of `1` (after truncation), but the WETH contract granting `1 << 128 + 1` tokens.
## Impact
- **Confidentiality**: None
- **Integrity**: Critical (Complete corruption of token supply and protocol balances)
- **Availability**: High (Potential for total protocol insolvency)
## Remediation
### Patches
- The Frontier compatibility layer was updated to include strict validation. Any `msg.value` exceeding the `U128` maximum is now rejected before contract execution begins.
- **Moonbeam/Astar**: Patches were applied in June 2022.
### Workarounds
- Developers of smart contracts on Frontier-based chains were advised to add manual checks for `msg.value` limits, though a protocol-level fix is the only comprehensive solution.
## Detection
- **Indicators of Compromise**: Transactions where `msg.value` exceeds the maximum value of a 128-bit integer ($3.4 \times 10^{38}$ wei).
- **Detection Methods**: Monitoring for large discrepancies between native token transfers and internal contract state updates (e.g., WETH minting events).
## References
- [https://paragraph-xyz/@pwning-2/how-to-steal-100m-from-flawless-smart-contracts]
- [https://immunefi-com/bounty/moonbeam/]
- [https://github-com/paritytech/frontier]