Meter.io Minting Exploit
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Meter.io is a large multi-chain bridge, which allows assets to be moved between different blockchain smart contract networks. As part of their setup, funds exist locked in smart contract hot wallets, which back representative tokens used in the transfer. Based on an attacker exploiting a missing validation check, extra tokens were minted which were unbacked. The attacker stole $4.4m worth of ETH and BTC. It appears the ETH was successfully deposited to TornadoCash. The Meter.io protocol has agreed to reimburse affected users in full.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8]
About Meter.io
"High-performance blockchain infrastructure that scales and connects the financial Internet." "Meter is the fastest, most decentralized and scalable ethereum sidechain."
"Meter is a bridge that connects to Ethereum and some other chains." "Meter is fully compatible with Ethereum at the RPC level - bring over your Ethereum dApps with almost no changes! Unlike other Layer 2s and EVM chains, dApps built on Meter are fast, uncensorable and front running/MEV resistant."
"Moonriver houses several smart contracts on the Kusama network, built on Polkadot. In the same vein, Hundred Finance was developed using a code from Compound Finance."
The Reality
"[T]he issue [was] a bug introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team." "The extended code had a wrong trust assumption which allowed hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer."
"We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. However, the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers' address. We are working on compensating funds to all affected users," the company explained.
What Happened
"According to developers, the hack took place on February 5." "Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH."
| Date | Event | Description |
|---|---|---|
| February 5th, 2022 7:48:42 AM MST | Exploit Transaction | The exploit transaction occurs on Moonriver[10]. |
| February 5th, 2022 4:21:00 PM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| February 5th, 2022 4:49:00 PM MST | Tweet Announcement | Meter.io announces they've set aside $4.4m worth of their METR token to assist affected users[11]. |
| February 5th, 2022 5:34:00 PM MST | Peckshield Technical Analysis | Peckshield shares a technical analysis on Twitter about the exploit[12]. |
| February 6th, 2022 11:40:00 AM MST | Hundred Finance Request | Hundred Finance reports that their deployment on Moonriver was impacted by a bridge attack on Meter.io, causing a local depreciation in the price of BNB.bsc[13]. Some accounts took advantage of the reduced BNB.bsc price to borrow assets on the platform. MIM and FRAX are currently affected. The platform requests that account owners who borrowed assets consider returning them to allow other users access to liquidity. One account holder has already returned the assets, and the platform is willing to offer bounties to the remaining three for doing the same. It's important to note that funds on their other deployments are not affected[14]. |
Technical Details
"According to developers, the hack took place on February 5."
"Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH."
"[T]he issue [was] a bug introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team." "The extended code had a wrong trust assumption which allowed hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer."
"We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. However, the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers' address. We are working on compensating funds to all affected users," the company explained.
"This means that the hackers sent an arbitrary amount of Ethereum to Meter, which was used to carry out the attack. After the attack, a series of events took place, affecting BNB’s price."
"After the attack, the hacker was said to have taken to Sushiswap to sell off all the BNB in his possession. After this, the price of BNB went down as far as 77% on Moonriver. Reacting to the price fall, most traders bought as much BNB as possible. After that, most of them took out loans in different tokens while using the BNB as collateral."
"The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted."
"A number of opportunists then took advantage of the price dip by buying cheap BNB. They used the tokens as collateral on Hundred Finance to take out ETH, FRAX and MIM loans. Due to the discrepancy in BNB price, however, their loans were worth more than the collateral they had provided, causing a supply crisis."
"Accounts were able to purchase BNB.bsc at a reduced price and use these tokens as collateral at the global Chainlink price to borrow uncompromised assets on our platform. Of these, MIM and FRAX are currently impacted." "We would like to request that owners of the accounts that did so consider returning the assets borrowed so that other users are able to access their liquidity. 1 acc. holder has already done so and we are willing to pay further bounties to remaining 3 for doing the same."
Peckshield Technical Analysis
The @Meter_IO is hacked with the loss of $~4.3M (including 1391.24945169 ETH + 2.74068396 BTC). The extension over the original (unaffected) ChainBridge introduces a false deposit issue !!!
Total Amount Lost
The total amount lost has been estimated at $4,400,000 USD.
"Hackers stole BNB and wETH of about $4.4 million using the wrong trust assumption in the developing code."
"Building bridges is a dangerous business. Another attack sees $4.4M taken from Meter.io on BSC, making Hundred Finance lose $3.3M in collateral damage."
Immediate Reactions
"Building bridges is a dangerous business. Another attack sees $4.4M taken from Meter.io on BSC, making Hundred Finance lose $3.3M in collateral damage."
"We stopped all bridge transactions immediately and started an investigation." "Within 30 minutes we identified the issue to be a bug introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team."
"We have identified some early traces of the hacker and are working with authorities. We urge the hacker to return the funds." "Meter has discovered bits of the hacker’s digital breadcrumbs and cooperates with law enforcement to identify the hacker." "The blockchain security firm PeckShield estimated that in total, 1,391 ETH and 2.74 wBTC were taken by the attacker and have since been sent to Ethereum where the tokens have gone through Tornado Cash, an ETH transactions privacy tool."
"We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team. Please try avoid trading in these pairs as well."
Ultimate Outcome
"Community, we really appreciate everyone's patience and support as we work to get back up and running after this morning's exploit." "We are working on taking snapshots and designing a compensation plan to the WETH and BNB holders and LP providers."
"A representative from the Hundred Finance team told Cointelegraph that it would wait about a day before taking steps to reopen MIM and FRAX markets on the Moonriver side of itsplatform."
"The Meter team has committed to reimbursing its community and Hundred Finance for losses incurred due to the hack. The team stated on Sunday that it had set aside $4.4 million in MTRG tokens to cover initial losses." "In its recent statement, Meter mentioned that it would refund users MTRG tokens while setting aside about $4.4 million of the said token."
"We are working on taking a snapshot from before the attack & will convert the original BNB & WETH to 1:1 their values in MTRG, the rest inflated BNB & WETH will be converted based on the hacker stolen value from the LP pools."
“Meter have of course accepted responsibility for this hack and are intending to use their native token for reimbursement to the extent that they can, currently we are in the gathering addresses and amounts stage.”
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Snapshot taken and funds set aside: [11]. TBD
Ongoing Developments
TBD
Individual Prevention Policies
Users of smart contracts have a special responsibility to ensure that contracts have been adequately validated.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Detailed reviews of smart contracts are critical, especially when a large amount of funds are at stake. Further reviews and validation of the bridge through additional smart contract audits would have reduced the likelihood of the error not being caught.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Potential damage from an exploit could be reduced by implementing a multi-signature treasury to store most funds. The bridge contract can be replenished from the multi-signature wallet when necessary, while only the funds in the bridge wallet would be at risk. Ensure keys are held by trusted individuals in cold storage.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
An industry insurance fund could assist with selecting competent validators and in case of any exploit resulting in lost funds.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Further reviews and validation of the bridge through additional smart contract audits would have reduced the likelihood of the error not being caught, as well as determined potential ways to improve the security of the bridge protocol to reduce risk.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund could assist with selecting competent validators and in case of any exploit resulting in lost funds.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Meter - REKT (Feb 8, 2022)
- ↑ $4.4M Stolen in Hack of Blockchain Infrastructure Firm Meter (Feb 14, 2022)
- ↑ $4.4 million stolen in attack on blockchain infrastructure Meter | ZDNet (Feb 14, 2022)
- ↑ https://beincrypto.com/cross-chain-bridge-hack-of-meter-sees-4-4m-stolen/ (Feb 14, 2022)
- ↑ Latest DeFi bridge exploit results in $4.4M losses for Meter (Feb 14, 2022)
- ↑ https://www.cryptopolitan.com/meter-loses-4-million-in-latest-defi-breach/ (Feb 14, 2022)
- ↑ @Meter_IO Twitter (Feb 14, 2022)
- ↑ https://etherscan.io/txs?a=0x8d3d13cac607B7297Ff61A5E1E71072758AF4D01 (Feb 14, 2022)
- ↑ Meter - The Future Is Multi-Chain (Feb 13, 2022)
- ↑ 10.0 10.1 MOVR Transaction Hash (Txhash) Details | Moonriver (Feb 14, 2022)
- ↑ 11.0 11.1 Meter.io - "We are working on taking a snapshot from before the attack & will convert the original BNB & WETH to 1:1 their values in MTRG, the rest inflated BNB & WETH will be converted based on the hacker stolen value from the LP pools. We've set aside $4.4M of MTRG based on today's price." - Twitter (Feb 14, 2022)
- ↑ 12.0 12.1 peckshield - "The @Meter_IO is hacked with the loss of $~4.3M (including 1391.24945169 ETH + 2.74068396 BTC). The extension over the original (unaffected) ChainBridge introduces a false deposit issue !!! " - Twitter (Feb 14, 2022)
- ↑ Hundred Finance - "Today Hundred Finance's @MoonriverNW deployment was effected by a bridge attack on @Meter_IO that resulted in the local depreciation in the price of BNB.bsc." - Twitter (Feb 14, 2022)
- ↑ Hundred Finance - "Accounts were able to purchase BNB.bsc at a reduced price and use these tokens as collateral at the global Chainlink price to borrow uncompromised assets on our platform. Of these, MIM and FRAX are currently impacted." - Twitter (Feb 14, 2022)