pNetwork

pNetwork Hack - September 19, 2021

Overview

On September 19, 2021, an attacker took advantage of a vulnerability in pNetwork's code to steal 277 BTC worth over $13 million from the protocol. The exploit specifically targeted the pBTC-on-BSC bridge.

What Was Affected

• pBTC-on-BSC: the only bridge that was successfully attacked

• Other bridges (pBTC-on-ETH, pBTC-on-EOS) were NOT affected

Technical Root Cause

The pNetwork hack was made possible by a flaw in the code that processed event logs for the protocol. These event logs include peg-out requests that are processed by the protocol to unlock cryptocurrency on the Bitcoin blockchain.

The issue was improper validation of peg-out requests. The Rust code that extracted and processed these event logs did not validate that the requests originated from the legitimate pNetwork contracts. Fake requests generated by an attacker-controlled contract were therefore processed as legitimate, and the bridge erroneously unlocked tokens and transmitted them to the attacker.

Attack Vector / Steps

1. Attacker deployed a malicious contract on Binance Smart Chain that emitted event logs with the same shape as legitimate pNetwork peg-out request events

2. pNetwork's off-chain validators read these event logs without verifying that the emitting contract address matched the legitimate pNetwork pBTC contract

3. The off-chain bridge accepted the fake peg-out requests

4. Bridge software unlocked native BTC on the Bitcoin chain corresponding to the fake requests

5. Native BTC (~277 BTC, ~$13M) was sent to the attacker's Bitcoin address

Financial Impact

• 277 BTC stolen (~$13 million at the time of the hack)

• Funds moved to a single Bitcoin address controlled by the attacker

Response

• pNetwork offered the attacker a $1,500,000 bug bounty in exchange for the return of the stolen funds

• The attacker did not respond to the bounty offer

• The stolen funds remained on the attacker's BTC address and have not been moved since the hack

Remediation

The pNetwork team published a post-mortem and patched the validation logic in the Rust off-chain bridge code so that peg-out request event logs must originate from the legitimate pNetwork contract address before they are accepted.

Sources

• pNetwork Post Mortem: pBTC-on-BSC Exploit - pNetwork Team (Medium)

• Explained: The pNetwork Hack (September 2021) - Halborn

• $12.4M Lost as DeFi Platform pNetwork Suffers Exploit - CryptoBriefing

• DeFi Bridging Protocol pNetwork Suffers $12 Million Hack - Decrypt

• Latest DeFi hack targeting BSC sees $12.7M in Bitcoin stolen from pNetwork - Cointelegraph