On December 29, 2024 at 5:00 AM UTC, the FEG token bridge system was exploited, which permitted the attacker to withdraw FEG tokens from the bridge contract without depositing them in the source chain. The total profit for the attacker across three blockchains (Ethereum, Base, and BSC) is approximately $1 million USD.
The FEG token bridge relies on the Wormhole infrastructure to send and receive cross-chain messages. The root cause of the vulnerability was an error in the FEG cross-chain message verification process, which is unrelated to the Wormhole protocol.
"0xCB96ddE53F43035f7395D8DbdB652987F7630b3c" on three blockchains (Ethereum, Base, and BSC)."
Take the withdrawal on BSC as an example:
Message_01
Purpose: add 0xe7ba8de3adf9d6cc12b8ceeb4a654ee1a276a03c (attack contract) to the whitelist of FEG relayer.
Message_02
Purpose: malicious message, set withdrawable token amount to 45,715,693,242 FEG Tokens.
The FEG Relayer "0x3a3709b8c67270a84fe96291b7e384044160c6b1" received the wormhole message, processed the message, and called "registerWithdraw" in the "SmartBridge" contract, thus registering a withdrawal balance for the attacker's contract to perform the withdrawal at a later time.
Take the attack on BSC as an example:
Based on the current investigation, the vulnerability is most likely located within the FEG Relayer contract "0x3A3709b8c67270A84Fe96291B7E384044160C6b1" of the FEG SmartBridge. The relayer contract is unverified, and the analysis is based on the decompiled code.
The FEG relayer maintains a whitelist for "sourceAddress" to reject malicious messages, which is the intended behavior. However, the relayer contains logic that allows this whitelist to be updated via a bridged message. If the "user" in the message payload is designated as the admin address, the relayer updates the whitelist to include the "sourceAddress" without verifying if the address can be trusted. The reason for including such a feature in the FEG relayer is unknown.
The attacker is able to add attack contract to the whitelist through the following methods:
After the address of the attacker controlled contract is added to the whitelisted "sourceAddress", the attacker can send a malicious message to invoke the "registerWithdraw" and set the FEG balance in the FEG SmartBridge to be withdrawable by the attacker.
Note that the relayer contract is deployed by "0x46B6dF78388284088e07aA8F5dda4B5A3Ef3f861," funded by "0xb44a872e035714aa057158ae2ffbbe467f13f5dd," which received its initial funds from "FEG: Deployer 1." This suggests that the relayer is associated with the FEG team.
The attacker swapped the FEG tokens withdrawn from the bridge into chain-native tokens, such as ETH and BNB, during the exploit transaction. The total profit for the attacker is approximately $1 million USD. Those tokens have been sent to TornadoCash.
https://wormhole.com/docs/build/contract-integrations/wormhole-relayers/#receive-a-message