mindfulme
commented
3 years ago This is the attack in detail:
The attacker computed the 32-bit ID for putCurEpochConPubKeyBytes: ethers.utils.id ('putCurEpochConPubKeyBytes(bytes)').slice(0, 10)'0x41973cd9'
The attacker brute-forced a string that, if set as _method in the code snippet above, gives the same 32-bit value. In this case the attacker used the string “f1121318093”: ethers.utils.id ('f1121318093(bytes,bytes,uint64)').slice(0, 10)'0x41973cd9'
The attacker called a cross-chain transaction from the Ethereum network to the Poly network by triggering EthCrossChainManager and targeting EthCrossChainData, and passing the string f1121318093 as _method, and the public key of their own Ethereum wallet as a parameter.
This triggered EthCrossChainManager into calling the function putCurEpochConPubKeyBytes within EthCrossChainData, and demanding the attacker’s public key to be registered as a Keeper’s. EthCrossChainData executed such command, since EthCrossChainManager is its owner.
Once the transaction was executed and the attacker was granted the status of Keeper for the Ethereum blockchain, the attacker proceeded into using the corresponding secret key in their possession to funnel tokens out of Poly’s Ethereum wallet into their own wallet.
The attacker repeated the above for other Poly liquidity wallets: Binance, Neo, Tether, etc.
Walidhossain010
stevenli6186
https://github.com/polynetwork/eth-contracts/blob/d16252b2b857eecf8e558bd3e1f3bb14cff30e9b/contracts/core/cross_chain_manager/data/EthCrossChainData.sol#L45