Web3 developer Jump Crypto has recently discovered a critical vulnerability in Celer’s State Guardian Network (SGN), potentially compromising the network and applications dependent on it, including Celer’s cBridge. Jump Crypto’s postmortem report revealed that the vulnerability allowed malicious validators to exploit a bug in the SGN EndBlocker code, enabling them to vote multiple times on the same update.
The Web3 developer releases his report
This flaw in the code allowed malicious actors to amplify their voting power, potentially approving harmful or invalid updates. Celer, a Cosmos-based blockchain facilitating cross-chain communication, released parts of the off-chain SGNv2 code on GitHub, prompting Jump to review the script and privately notify Celer’s protocol team about the vulnerability. Celer promptly addressed the issue, fixing it before any malicious exploitation occurred.
The vulnerability presented a range of options for malicious validators, including the ability to manipulate on-chain events such as bridge transfers, message emissions, and staking and delegation on Celer’s main SGN contract. While Celer had implemented defense mechanisms to prevent the complete theft of bridge funds, the Web3 developer’s report highlighted three specific safeguards. These included a transfer delay triggered by the bridge contract for transfers exceeding a certain value, a volume-control mechanism limiting the extraction of tokens within a short period, and an emergency halt of contracts in response to under-collateralization events caused by malicious transfers.
However, despite these security measures, the report emphasized that the protocol was not entirely protected. The transaction limits are applied per chain and token, meaning that an attacker could potentially exfiltrate tokens with a value of approximately $30 million before the contracts are halted. This amount represents around 23% of Celer’s current total value locked.
Celer tackles the problem and expands its bug bounty program
The Web3 developer’s report further highlighted that while Celer’s built-in mechanisms could protect its bridge contracts, decentralized applications (dApps) built on top of Celer’s inter-chain messaging would remain vulnerable to these types of vulnerabilities by default.
Celer has a bug bounty program offering a $2 million reward for vulnerabilities in its bridge. However, it does not cover off-chain bugs such as the one discovered in the SGNv2 network. Jump Crypto has been engaged in discussions with Celer about adding the SGNv2 network to its bug bounty program, and the potential payout for Jump’s report is currently under evaluation by Celer’s team.
The identification and swift resolution of this vulnerability highlight the importance of rigorous security measures and bug bounty programs in the blockchain industry. By addressing these issues promptly, networks like Celer can enhance their resilience and safeguard user assets in the evolving Web3 landscape.