How I secured 70,000 ETH and won a 6 million bug bounty

Original link: https://pwning.mirror.xyz/CB4XUkbJVwPo7CaRwRmCAPaP2DMjPQccW-NOcCwQlAs

Hello!I'm pwning.eth, a wanderer in the hacker space who recently jumped into the crypto world.A few months ago, I reported a critical bug in the Aurora engine, a layer 2 EVM solution based on the NEAR protocol.At least 70,000 ETH was at risk of being stolen until I discovered the thorny vulnerability and helped the Aurora team fix it.If 200 million tokens were taken over by black hackers, it would be the top five heists in Defi history.In the end, I won a bug bounty of 6 million, which is the second largest bounty in history.

I'm an experienced white hat Hacker from the Web2 world.I've seen hacks in the crypto world for a while and there's a lot of randomness!I'm not surprised by the astronomical profits of Defi Hackers, since real-world criminals also make a lot of money. However, I really feel for the story of Saurik, a famous hacker in the IOS jailbreak communityShock.The scale of his bug bounties is unheard of in the traditional security world, so I can't wait to start my own treasure hunt in Web3.

I first check the bounty list on Immunefi.The Aurora Bounty Program, listed at the top of the site, caught my eye due to its huge bounty offer.This is a new type of project made by a group of talented engineers, which suggests that it might be complex enough to be immune to common Defi Hackers, and mysterious enough that I could learn something magical.Because of my experience in hacking modern complex systems, I was able to quickly start researching new blockchains. I reviewed the Aurora bridge and it was a solid project.Then I looked into the Aurora engine and found the unicorn bug within a few hours.Unlike normal defi exploits, I thought I was quick and lucky to randomly identify this bug, so I took the time to verify and replicate this bug in case it was a false positive.I spent days studying, building, learning, testing and finally finalizing the report.

I tried contacting the Aurora team on Discord, messaging the official bounty email, and submitting issues via Immunefi.They quickly identified and patched the vulnerability, official link.Their reward for critical vulnerabilities in smart contracts is calculated as 10% of their potential economic damage, worth up to $6,000,000. In this case, the potential damage may be ten times higher than this maximum reward.Therefore, I am eligible to receive the maximum possible amount in the form of locked Aurora tokens, with a total value of $6,000,000.Listed on Immunefi, a very wise and lucky move :)

Technical details have been explained by Immunefi.Here is my short summary:

1. Aurora engine implements bridging tokens in pre-built contracts with hardcoded addresses.They are magic bridges for connecting Ethereum, NEAR and Aurora.
2. Vulnerable contracts are issued at a specific address in bridge events, assuming msg.value is collected by itself.
   However, if the contract is called by delegatecall(), msg.value is never sent to the contract, but logs are sent as usual.
3. By repeating malicious withdrawals, an attacker can exponentially double the balance.Infinite inflation of ETH could disrupt Aurora's entire ecosystem: all 71K ETH in Aurora's account could be depleted, and the free ETH could have bought other valuable tokens.(Billions of TVLs on the Aurora Bridge)

If you're hardcore enough, you might find The original report and script is fun, enjoy!