Decoding BitKeep’s Smart Contract Vulnerability

TL;DR#

On October 17, 2022, BitKeep suffered an exploit on BNB Chain through a service used to swap tokens, causing a loss of approximately $1 million.

Introduction to BitKeep#

BitKeep is a decentralized multi-chain cryptocurrency wallet that provides numerous digital asset management services to consumers worldwide.

Vulnerability Assessment#

The vulnerability was exploited because of a flaw in BitBTC code, in which the said contract utilized a custom bridge instead of the standard bridge that Optimism provides.

Steps#

Step 1:

The L2 side of their bridge permits the withdrawal of any token and allows that token to choose the l1Token address transmitted to the L1 side of the bridge.



Step 2:

Nonetheless, the L1 bridge disregards what the L2 token was and simply mints the arbitrary L1 token.



Step 3:

Thus, an adversary could deploy their own token on Optimism, give themselves the entire quantity, and set the l1Token of their token to the actual BitBTC L1 address.

Step 4:

An attacker withdraws billions of fake BitBTC tokens from Optimism.

Step 5:

Then, when the attacker attempted to withdraw their fraudulent token via the BitBTC bridge, they are given actual BitBTC tokens on L1.

Aftermath#

To ensure that there are no other asset security issues, the team had suspended their Swap service. They also communicated and collaborated with major security agencies in order to track down the hackers and recover the stolen assets.

How to Prevent Such an Attack Vector#

Security is of the foremost importance, therefore project teams should use the standard bridge as opposed to developing a custom bridge without any prior risk estimates..

Protocol, and Platform Security#

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.