MeterIO Decentralized Protocol Exploited for $4.3 Million

article image

Arman Shirinyan

Not a $320 million steal, but still, it is more than one protocol can afford to lose

Contents

  • Technical explanation of the hack
  • Cross-chain bridges are suffering

Another DeFi-related project by the name of MeterIO was hacked, facing a loss of $4.3 million, which could be worth more by press time due to increased volatility on the cryptocurrency market. Hackers stole 1,391 ETH and 2.7 BTC.

Technical explanation of the hack

Meter pretty well replicates the technology of ChainSwap cross-chain hub, or is simply a fork of it. But the main difference introduced by Meter developers is the change in the deposit method of the ERC20 handler.

The change assumes that the bridged token, which is a wrapped Native token, will not be burned or locked since the wrapped Native token is already unwrapped. The mentioned line of the code assumes that the bridged token is a wrapped Native token, so that it should not be burned or locked.

The assumption would have worked as intended for only one of the deposit methods, but it does not function properly for another method of putting funds in the contract on WETH deposit address.

The hacker has noticed the inconvenience in the contract and has sent the needed amount in calldata and taken control of funds that he or she should not have had.

Cross-chain bridges are suffering

Meter’s case is not the first one in the cross-chain industry with one of the largest Solana-Ethereum bridges facing a vulnerability that leads to a loss of $320 worth of cryptocurrency.

Reportedly, the Wormhole’s issues were tied to the underlying bug in Solana’s core, which has been fixed in version 1.9. But since some contracts were running on older versions of the network, hackers were able to exploit the bug and steal users’ funds, which were later refunded by investors at a 1:1 rate.

Source: https://u.today/meterio-decentralized-protocol-exploited-for-43-million