Meter Bridge Hack - February 2022
Overview
In February 2022, the Meter.io cross-chain bridge was the victim of an attack. The attacker took advantage of a mistaken assumption in the blockchain protocol's code to drain $4.4 million from the bridge and cause Hundred Finance, which relied on the bridge, to lose an additional $3.3 million in assets. The total loss was approximately $7.7 million combined.
Technical Exploit Details
The Meter.io attacker took advantage of an assumption within the protocol's code regarding deposits of wrapped native tokens. For example, a deposit of wrapped Ether (WETH) would not trigger a burn or lock of tokens because the wrapped ETH could be unwrapped and transferred to the handler contract. The problem with this assumption is that Meter has two functions where users could make deposits: depositEth and the underlying ETH20 deposit function.
The depositEth function fulfills this assumption and validates the amount of value in the transaction's calldata, which is the value that will later be passed to the deposit function. However, another version was publicly accessible. Since this other function also lacked the validation of the amount within the calldata, the attacker was able to trick the protocol into paying out much more than they put in.
Cascading Impact on Hundred Finance
After draining Meter of its BNB and wETH reserves, the attacker sold the BNB on SushiSwap, a popular decentralized exchange. This led to a 77% crash in the price of BNB on Moonriver at the time.
Hundred Finance was affected by the attack because the local price of BNB.bsc was depreciated due to the hack. Exploiters were able to buy BNB.bsc at a discounted rate and use them as collateral for loans with Hundred Finance, who used the global Chainlink price for the assets. As a result, the attackers could drain uncompressed assets from the protocol. Of these loans, two of the loans were repaid, leaving an outstanding $3.3 million in losses to the Hundred protocol.
Key Lesson
These oversights should have been detected during a smart contract audit, which would have prevented the theft of over $7.7 million in assets from Meter and Hundred Finance.
Sources