The Sui blockchain network quietly fixed a bug that could have put “billions of dollars” at risk, according to a May 16 announcement from Zellic, the security firm hired to audit the network’s security.
A billion dollar bug:
How Zellic found and fixed a critical security vulnerability affecting all Move L1’s, including Aptos, Sui, Starcoin, and 0L
This bug violated Move’s core security properties and would’ve broken many smart contracts, e.g. flash loans!
Read more: pic.twitter.com/i9rkOJzz6e
— Zellic (@zellic_io) May 16, 2023
The bug was in a dependency of the bytecode verifier, which ensures that the human-readable Move language used to write smart contracts on Sui is correctly transcribed into machine code during deployment. Had the bug not been fixed, it could have “allowed attackers to bypass multiple security properties, leading to potentially significant financial damages,” the announcement said.
In a statement to Cointelegraph, Mysten Labs confirmed that the the bug has been fixed in the SUI version of MOVE.
Zellic claimed that the bug may have also been present in other Move-based networks, including Aptos and Starcoin. However, they stated that the Aptos version of it was eliminated with a patch on April 10, according to the Zellic team.
Cointelegraph reached out to Aptos for comment but did not receive a response by publication.
In a conversation with Cointelegraph, a representative from the Move-based 0L network stated that the bug does not affect its version of Move. On May 15, 0L added a series of tests to their GitHub, which it says proves the exploit is not possible on the 0L version. The Starcoin team told Cointelegraph that their version was eliminated on April 5.
A blockchain network developed by Mysten Labs, Sui was founded by former Meta Platforms engineers. It’s a fork of the open-source Libra project created by Facebook-parent Meta. Libra was shut down in 2019.
Some developers favor Move smart contract language because its security features specifically benefit blockchains. For example, it allows developers to create custom data types, including a “coin” type that cannot be copied or deleted.
Related: Justin Sun issues apology after Sui LaunchPool clashes with Binance CEO
Like other blockchain networks, Sui does not store code in the same language it is written in. Instead, it converts this code from the network’s human-readable language to machine-readable bytecode.
In making this translation, Sui runs a series of verifications to ensure the translated code does not violate the security properties of the network. For example, it ensures that coins can’t be deleted or copied.
According to Zellic’s explanatory blog post, it was hired by Mysten Labs to do a security assessment of this verifier program. It did not find a bug in the verifier itself. However, it found a bug in the “Control Flow Graph” or “CFG” file that the verifier uses to accomplish many of its tasks. Because of how it was written, the CFG could allow certain lines of code to be hidden from the verifier, allowing code that violates the network’s security principles to be stored and run without getting caught.
In its explanation, the team stated that the most obvious way this vulnerability could have been exploited is by malicious borrowers taking out flash loans. When flash loans are implemented on Move-based networks, the loan protocol usually sends the borrower an asset that cannot be deleted. If the borrower can delete this asset, they “could successfully take out a flash loan and not repay the borrowed funds,” the team said. Other types of exploits could also have been possible since the vulnerability allowed the basic principles of Move security to be violated. It, therefore, “[placed] potentially billions of dollars at risk,” the security firm stated in its post.
Move-based networks and their apps have been making waves in the fundraising world lately. A Sui-based decentralized exchange called Cetus raised over $6 million in one minute on May 8. The company behind Aptos also raised over $150 million in July 2022.
This story was updated on May 16 to include statements from Mysten Labs and Starcoin confirming that the bug existed but has been eliminated through software updates.
