Jump Crypto, a Web3 investor and developer, has discovered a vulnerability in Celer’s State Guardian Network (SGN) that would allow malicious validators to compromise the network and its applications, including Celer’s cBridge.
Due to a bug in the SGN EndBlocker code, validators could vote multiple times on the same update, according to the postmortem report from Jump Crypto.
By permitting validators to vote numerous times, malicious actors could increase their ability to approve harmful updates. The report explained:
“The [EndBlocker] code is missing a check that prevents a validator from voting on the same update twice. A malicious validator could exploit this by voting multiple times on the same update, effectively multiplying their voting power and potentially tipping the vote in favor of an invalid or malicious update.”
Celer is a Cosmos-based blockchain that supports cross-chain communication, according to the report.
After Celer released portions of the off-chain SGNv2 code on GitHub, Jump reviewed the script.
The protocol’s team was then privately notified of the flaw, which has since been patched without malicious use.
According to the report, the vulnerability would provide a malicious validator with a “wide range of options,” including the ability to spoof arbitrary on-chain events such as bridge transfers, message emissions, or staking and delegation on Celer’s primary SGN contract.
However, Celer has safeguards against complete bridge-fund theft.
The report highlights three mechanisms: a delay triggered by the bridge contract on transfers exceeding a particular value; a volume-control tool limiting the value of tokens that can be extracted quickly; and an emergency halt of contracts triggered when malicious transfers cause an under-collateralization event.
Even with the security safeguards, the protocol would not be completely protected. According to Jump’s report, transaction limits only apply per chain and token, and “due to the large number of supported tokens and chains, it seems plausible that an attacker could exfiltrate tokens worth $30 million before the contracts are halted,” the report said.
According to DefiLlama, the amount represents approximately 23% of Celer’s current locked value of $129.28 million at the time of writing.
“It is essential to note that these built-in mechanisms can only safeguard Celer’s bridge contracts. The report continued, “dApps built on top of Celer’s inter-chain messaging would be fully exposed to these vulnerabilities by default.”
Celer offers a $2 million bug bounty for its bridge’s vulnerabilities. However, bounty programs do not cover off-chain vulnerabilities, such as the SGNv2 network vulnerability.
Jump stated that it has discussed adding the SGNv2 network to its bug bounty program with the protocol. Celer’s team is currently evaluating the potential compensation for Jump’s report.