Reading 4 min Views 2 Published Updated
Sui’s blockchain network has quietly patched a bug that could have put “billions of dollars” at risk, according to a May 16 filing by Zellic, the security firm hired to audit the network’s security.
Loss of Funds Bug in Aptos and Sui
Quick spotlight on an unpublished (but fixed) loss-of-funds bug in the move verifier that seems to have been found by @zellic_io.
This would have allowed many types of exploits against Aptos or Sui based protocols.
— Jasper | Neodyme (@JasperCPS) April 11, 2023
The bug was dependent on a bytecode verifier that ensures that the human-readable Move language used to write smart contracts in Sui is correctly transcribed into machine code during deployment. If the bug had not been fixed, it could “allow attackers to bypass several security properties, resulting in potentially significant financial damage,” the report says.
According to the announcement, developer Sui Mysten Labs fixed the bug on March 30 in the 8bddbe65 commit after Zellic informed them of its existence. The bug could also be present on other Move-based networks, including Aptos and Starcoin. According to the Zellic team, the Aptos version of the bug was fixed with the April 10 patch.
In a conversation with Cointelegraph, a spokesperson for the Move-based 0L network stated that the bug does not affect its version of Move. On May 15, 0L added a series of tests to its GitHub that it says prove the exploit is not possible in version 0L.
Cointelegraph reached out to Aptos and Starcoin for comment, but received no response in the form of a post.
A blockchain network developed by Mysten Labs, Sui was founded by former Meta Platforms engineers. It is a fork of the open source Libra project created by Meta, the parent company of Facebook. Libra was shut down in 2019.
Some developers prefer the Move smart contract language because its security features are especially useful for the blockchain. For example, it allows developers to create their own data types, including the “coin” type, which cannot be copied or deleted.
Related: Justin Sun apologizes after Sui LaunchPool clashes with Binance CEO
Like other blockchain networks, Sui does not store code in the same language as it is written in. Instead, it converts this code from a human-readable web language into machine-readable bytecode.
While doing this translation, Sui performs a series of checks to ensure that the translated code does not violate the network’s security properties. For example, it ensures that coins cannot be deleted or copied.
According to the Zellic blog post, Mysten Labs hired him to evaluate the security of this verifier program. No errors were found in the verifier itself. However, he found an error in the “Control Flow Graph” or “CFG” file that the verifier uses to perform many of its tasks. Because of the way it was written, CFG can allow certain lines of code to be hidden from the verifier, allowing code that violates network security principles to be saved and run without being caught.
In their explanation, the team stated that the most obvious way to exploit this vulnerability is for attackers to obtain instant credits. When quick loans are implemented in Move-based networks, the loan protocol typically sends an asset to the borrower that cannot be removed. If the borrower is able to remove this asset, they “may successfully take out an instant loan and not repay the borrowed funds,” the team said. Other types of exploits are also possible, as the vulnerability allowed the basic security principles of Move to be violated. Thus it is “[поставило] potentially billions of dollars at risk,” the security firm said in a statement.
Motion-based networks and their applications have recently made a splash in the fundraising world. On May 8, Sui-based decentralized exchange Cetus raised over $6 million in one minute. The company behind Aptos also raised over $150 million in July 2022.