CVE-2023-35163

Name of the Vulnerable Software and Affected Versions Vega versions prior to 0.71.6

Description A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator's Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network. The steps to carry out this exploit involve causing an Ethereum event, scraping the valid chain event transaction, changing the value of the txId field, and resubmitting the tweaked ChainEvent to the Vega network. The key to this exploit is in changing the txId field of the ChainEvent, which is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event.

Recommendations For versions prior to 0.71.6, update to version 0.71.6 to resolve the issue. As a temporary workaround, consider restricting access to the mainnet1 to minimize the risk of exploitation. Additionally, validators can stop the bridge to prevent withdrawals should this vulnerability be exploited. Monitoring alerts are in place to identify any issues of this nature, including this vulnerability being exploited.