Web3 investor and developer Jump Crypto discovered a vulnerability in Celer's State Guardian Network (SGN) that allowed malicious validators to compromise the network and applications that depend on it, including Celer's cBridge.
Validators were allowed to vote multiple times on the same update due to a bug in the SGN EndBlocker code, according to a postmortem report by Jump Crypto. By allowing validators to vote multiple times, malicious actors can increase their voting power to approve harmful updates. The report explains: “The [EndBlocker] code is missing a check that prevents validators from voting twice on the same update. Malicious validators can exploit this by voting on the same update multiple times, effectively increasing their voting power and possibly Favor votes again st invalid or malicious updates."
Celer is a Cosmos-based blockchain that supports cross-chain communication. Jump reviewed the script after Celer released part of the off-chain SGNv2 code on GitHub. The protocol's team was then privately notified about the vulnerability, which was fixed without any malicious exploitation . As the report notes, the vulnerability would give malicious validators "a wide range of options," including the ability to spoof arbitrary on-chain events, such as bridge transfers, message publications, or the staking and delegation of Celer's main SGN contr. act. However, Celer has defenses in place to avoid outright theft of bridge funds. The report highlights three mechanisms: a delay triggered by the bridge contract when it exceeds a certain value,A transaction volume control mechanism that limits the value of tokens that can be withdrawn in a short period of time, and a contract that triggers an emergency stop transfer if malicious transfers lead to an undercollateralization event.
Despite security safeguards, the protocol is still not fully protected. According to Jump's report, transaction limits only apply to each chain and token, and “due to the large number of supported tokens and chains, it seems realistic that an attacker could steal ~$30 million worth of tokens before the contract was suspended, " it says. According to DefiLlama, at the time of writing, this amount represents about 23% of the total value currently locked in Celer of $129.28 million.
“It is important to note that these built-in mechanisms are only capable of securing Celer's own bridge contracts. By default, dApps built on top of Celer's interchain messaging will be fully exposed to these vulnerabilities,” the report continued. Celer is offer ing a $2 million bug bounty for vulnerabilities in its bridge. However, the bounty does not cover off-chain vulnerabilities, such as those found in the SGNv2 network.
Jump said it has been in discussions with the protocol to add the SGNv2 network to its bug bounty program. Celer's team is evaluating the potential payout reported by Jump.
