The SCRT Hack that Never Happened

# The SCRT Hack that Never Happened And why was it covered up? ![safu](https://i.imgflip.com/6c8edl.jpg) The bsc & ethereum bridge contracts are deployed at: * https://secretnodes.com/secret/chains/secret-4/contracts/secret168mwctng6s7vk9w5d7n0wsty2f7vaq3rjq8g7c (deployed 30 May 2021) * https://secretnodes.com/secret/chains/secret-4/contracts/secret1sferux27lpr3lm52c8sq2dd7m54xhm28thnj5y (deployed 22 Apr 2021) They both have the code hash of `BB18FFC1E501025B1C07DAF013F3594F5E80FD17F1E59B0D3EC95BA2E26FF33D` However, the [swap.wasm](https://github.com/scrtlabs/EthereumBridge/blob/master/src/contracts/secret/compiled/swap.wasm.gz) file in the EthereumBridge github repo has a different hash: `60d4f9b200f68166a9c7bfaefd86abdbd413679b5ef4f7276178c70acc75bb55` @ (uploaded Jan 31 2021) **So... why is the deployed code different from the code in the github repo?** **Because there was an exploit, that allowed anybody to mint an infinite number of any of the bridged tokens in the `mint_token` function:** https://github.com/scrtlabs/EthereumBridge/blob/master/src/contracts/secret/secret-swap-contract/src/contract.rs#L113 Notice that `pause_swap`, `unpause_swap`, `remove_token_contract`, `change_owner` and `add_token_contract` methods all have an owner check, e.g: if params.owner != deps.api.canonical_address(&env.message.sender)? { return Err(StdError::generic_err( "Cannot add token from non owner address", )); } But `mint_token` doesn't have this check, given how obvious this exploit is I posit that it may have been deliberate subterfuge. The vulnerable contract was deployed at: https://secretnodes.com/secret/chains/secret-2/contracts/secret1tmm5xxxe0ltg6df3q2d69dq770030a2syydc9u and processed over 9000 transactions between 14 Dec 2020 and 22 Apr 2021. If you retrieve the new WASM file for the contract you can see at byte 223643 there is an error message which isn't present in the published source code: 223643 43 61 6E 6E 6F 74 20 6D 69 6E 74 20 74 6F 6B 65 6E 20 66 72 6F 6D 20 6E 6F 6E 20 6F 77 6E 65 72 20 61 64 64 72 65 73 73 Cannot mint token from non owner address This massive security bug was silently fixed patched and re-deployed without telling us, how do we know nobody used the exploit and now the bridged assets are undercollateralized? **We need assurances that funds r safu** Not just that, but when listing the deployed contracts on: https://secretnodes.com/secret/chains/secret-4/contracts Contract #43 is mysteriously absent (even though it has a label and is one of the most used contracts). Is this more evidence of a coverup? And who patched the contract? Because the source code for the bridge contract in the github repo hasn't been updated we won't know until they admit it, but we know who compiled it: /home/assafmo/.cargo/registry/src/github.com-1ecc6299db9ec823/ Yes, that [assafmo](https://forum.scrt.network/u/assafmo/summary), Lead Software Engineer @ SCRT Labs. The fact that such an important piece of the bridge isn't open-source is not a good sign, the source code is out of sync with the blockchain - who knows what else they've added or changed that could introduce more exploits and put funds at risk. ------------------- You don't think this was a coverup or a conspiracy? Look at this commit for the [EthereumBridgeFrontend](https://github.com/scrtlabs/EthereumBridgeFrontend/commit/ce4f46c8dfc2c8d035282f6ad4ffcd2b8bcd9b3c): ``` commit ce4f46c8dfc2c8d035282f6ad4ffcd2b8bcd9b3c Author: TomL94 <langer.tom7@gmail.com> Date: Thu Apr 22 21:13:13 2021 +0300 revert diff --git a/.env.mainnet b/.env.mainnet index 5d21901b..dbec8fc7 100644 --- a/.env.mainnet +++ b/.env.mainnet @@ -13,7 +13,7 @@ SECRET_WS='wss://yolo.enigma.co:26667/websocket' BACKEND_URL='https://api-bridge-mainnet.azurewebsites.net' SUSHI_API='https://external-services.azurewebsites.net/api/sushi' -SCRT_SWAP_CONTRACT=secret1tmm5xxxe0ltg6df3q2d69dq770030a2syydc9u +SCRT_SWAP_CONTRACT=secret1sferux27lpr3lm52c8sq2dd7m54xhm28thnj5y ETH_MANAGER_CONTRACT=0xf4B00C937b4ec4Bb5AC051c3c719036c668a31EC ``` In amongst some minor UI changes the contract address for the vulnerable swap contract was changed to the new one. What were they reverting? The previous 2 commits put the bridge into maintainance mode while they scrambled to fix the problem: * https://github.com/scrtlabs/EthereumBridgeFrontend/commit/68475ebfbcfaa7308afa8d6e99f3a3187cd38148 * https://github.com/scrtlabs/EthereumBridgeFrontend/commit/0486dd4382e009e1293c53d36102dfb5bb4994a9 > The bridge is down for maintenance! 🛠 > > Only the bridge functionality is affected. All other products (including SecretSwap and liquidity mining) still work. Yes... 'maintenance'. We have to give them credit where it's due as the issue was fixed, but they didn't write a postmortem or publicly acknowledge that funds were at risk, and now we have no idea what else has been modified in the contract as it can't be verified. Repeat after me: **BRIDGE FUNDS R SAFU** **THERE WAS NO EXPLOIT**