- The vulnerability was found in a file that converts code that humans can understand into a language that machines can store and process.
- The Sui blockchain network addressed a bug that had the potential to jeopardize “billions of dollars,” as stated in an announcement by Zellic, the security company responsible for auditing the network’s security.
There was a loss-of-funds bug discovered in the move verifier of Aptos and Sui, which has been fixed. The bug was identified by Zellic, a security firm. This bug could have potentially enabled various types of exploits against protocols built on Aptos or Sui.
The bug was found in a component that checks the accuracy of the Move language, used for writing smart contracts on Sui, when it is converted into machine code for deployment. If this bug had not been fixed, it could have allowed attackers to bypass important security measures, resulting in potentially significant financial losses.
As per the announcement, the bug in Sui was resolved by Mysten Labs on March 30, with commit 8bddbe65, after being alerted by Zellic. It is possible that the bug was also present in other networks that utilize the Move language, such as Aptos and Starcoin. The Zellic team confirmed that the bug in Aptos was fixed with a patch on April 10.
During a discussion with Cointelegraph, a representative from the 0L network, which uses the Move language, clarified that the bug does not impact their version of Move. On May 15, 0L uploaded a set of tests to their GitHub repository to demonstrate that the exploit is not feasible on their 0L version.
Sui is a blockchain network created by Mysten Labs and was founded by former engineers from Meta Platforms. It is based on the open-source Libra project, which was initiated by Meta, the parent company of Facebook. However, Libra was discontinued in 2019.
Many developers prefer the Move smart contract language due to its security features that are particularly beneficial for blockchains. One notable feature is the ability to create customized data types, such as a “coin” type that cannot be duplicated or erased.
Similar to other blockchain networks, Sui does not store its code in the same language it is written in. Instead, it converts the code from its human-readable language into a machine-readable format called bytecode.
When translating the code, Sui performs various checks to ensure that the converted code adheres to the security properties of the network. One important verification is to confirm that coins cannot be deleted or duplicated.
As per Zellic’s blog post, Mysten Labs enlisted their services to conduct a security assessment of the verifier program. While no bugs were discovered within the verifier itself, a bug was identified in the “Control Flow Graph” or “CFG” file used by the verifier for its operations. The way the CFG was written allowed certain lines of code to be concealed from the verifier, potentially enabling the storage and execution of code that violated the network’s security principles without detection.
According to the team’s explanation, the vulnerability had the potential to be exploited by malicious borrowers utilizing flash loans. In Move-based networks, flash loans involve sending the borrower an asset that cannot be deleted. If the borrower were able to delete this asset, they could have taken out a flash loan without repaying the borrowed funds. The vulnerability also opened the door to other types of exploits by violating the fundamental security principles of Move. Consequently, this put a significant amount of money, potentially billions of dollars, at risk, as stated by the security firm in its post.
Recently, fundraising activities in Move-based networks and their applications have gained considerable attention. For instance, a decentralized exchange named Cetus, built on Sui blockchain, managed to raise more than $6 million within just one minute on May 8. Similarly, the company responsible for Aptos, another Move-based project, successfully raised over $150 million in July 2022.
This information is for general knowledge only and should not be considered as advice for investing or making financial decisions.
Author
