According to a May 16 announcement from Zellic, the security firm hired to audit the network's security, the Sui blockchain network has quietly fixed a vulnerability that could have put “billions of dollars” at risk. The bug resides in a dependency of the bytecode ver filter , which ensures that the human-readable Move language used to write smart contracts on Sui is correctly transcribed into machine code during deployment. If the vulnerability is not fixed, it could "allow an attacker to bypass multiple security attributes, resulting in potentially significant financial loss," the announcement said.
In a statement to Cointelegraph, Mysten Labs confirmed that the bug has been fixed in the SUI version of MOVE.
Zellic claimed that the vulnerability may also exist in other Move-based networks, including Aptos and Starcoin. However, according to the Zellic team, they said their Aptos version was removed via a patch on April 10. In conversation with Cointelegraph, a representative from the Move-based 0L network stated that the bug does not affect its Move version. On May 15th, 0L added a series of tests to their GitHub, proving that the 0L version cannot exploit the vulnerability. The Starcoin team told Cointelegraph that their version was phased out on April 5.
Sui is a blockchain network developed by Mysten Labs and founded by former Meta Platforms engineers. It is a fork of the open-source Libra project created by Facebook parent company Meta. Libra shut down in 2019.
Some developers like the Move smart contract language because of its security features that are particularly beneficial to blockchains. For example, it allows developers to create custom data types, including "coin" types that cannot be copied or deleted. Like other blockchains networks, Sui doesn't store code in the same language it was written in. Instead, it converts this code from the web's human-readable language to machine-readable bytecode.
When doing this translation, Sui goes through a series of verifications to ensure that the translated code doesn't violate the security properties of the network. For example, it ensures that coins cannot be deleted or copied.
According to Zellic's explanatory blog post, it was hired by Mysten Labs to conduct a security assessment of the validator. It doesn't find bugs in the validator itself. However, it found an error in the "control flow graph" or "CFG" file that the verifier uses to accomplish many of its tasks. Because of the way it is written, CFG can allow certain lines of code to be hidden from validators, allowing code that violates cybersecurity principles to be stored and run without detection. In its explanation, the team said the most obvious way the bug could be exploited is flash loans by malicious borrowers. When implementing flash loans on a Move-based network, the lending protocol typically sends the borrower an asset that cannot be deleted. If borrowers can delete that asset, they “can successfully obtain a flash loan without having to repay the borrowed funds,” the team said. Since the vulnerability allows a violation of fundamental principles of Move security, other types of exploits are possible as well. As a result, the security firm said in its post, "[putting] potentially billions of dollars at risk."
The mobile-based web and its apps have been making waves in the fundraising world lately. On May 8, a decentralized exchange called Cetus raised more than $6 million in one minute. The company behind Aptos is also raising more than $150 million in July 2022.
