Key Takeaways:
- Today morning Meter.io informed their community that unfortunately Meter Passport was hacked a few hours ago.
- They asked people to not trade the unbacked meterBNB that is circulating on Moonriver.
- They have identified the issue.
- According to them, Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience.
Today another bridge is hacked, following the latest wormhole bridge hack. Today morning Meter.io informed their community that unfortunately Meter Passport was hacked a few hours ago. Please do not trade the unbacked meterBNB that is circulating on Moonriver. They have identified the issue. According to them, Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience.
They even said that the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers’ address. They are currently working on compensating funds to all affected users.
They further informed people that they are working on taking a snapshot from before the attack & will convert the original BNB & WETH to 1:1 their values in MTRG, the rest inflated BNB & WETH will be converted based on the hacker stolen value from the LP pools. They have set aside $4.4M of MTRG based on today’s price.
According to them, around 6 am Pacific time they identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH. They stopped all bridge transactions immediately and started an investigation. Within 30 minutes they identified the issue to be a bug introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team.
The extended code had a wrong trust assumption which allowed the hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer. The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted. All the other tokens and their corresponding reserves are SAFU.
They have identified some early traces of the hacker and are working with authorities. They urge the hacker to return the funds. Around $4.4m was lost. They are working on taking snapshots and designing a compensation plan for the WETH and BNB holders and LP providers.
They even said that they urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team. Please try to avoid trading in these pairs as well. Pairs for other tokens are safe to trade.
According to PeckShield 1391.24945169 ETH + 2.74068396 BTC is hacked. The extension over the original (unaffected) ChainBridge introduces a false deposit issue as shown in the below image. This is the second bridge hack of 2022. People are in hope that Meter.io will recover its funds soon.
According to our sources the attacker address is 0x8d3d13cac607B7297Ff61A5E1E71072758AF4D01. The attacker moved $4.3M in funds to Tornado Cash including 1400 ETH (~$4.2M) and 2 WBTC (~$83k). One of the exploited txโs is 0xc4d7e160c7652f2db22681aa2777c5b37937bf30375c5b2c6b2bd172ae984950.
The attacker called the Bridge.deposit() function to deposit 0.008 BNB to the contract Bridge connected to multiple chains including #BSC, #Ethereum, #Moonriver (twice). As one can see in the image given below.
The attacker injected the following malicious data by calling `Bridge.deposit(). Then the Bridge.deposit() invoked ERC20Handler.deposit() function with the following input.
