Authored by Jon Roethke
We would like to make our community aware of an issue that was recently discovered relating to the ChainBridge smart contracts.
ChainSafe recently contracted Haechi to conduct an audit on recent upgrades made to the ChainBridge smart contracts.
During the audit, it was discovered that the ERC-721 Handler (ERC721Handler.sol) contained a vulnerability that could have allowed an attacker to override the recipient on the destination chain in certain circumstances. This vulnerability affects v.1.x, v2.x, and v3.x of the contracts.
What are we doing about it?
We released a fix and have shared this patch with our partners who were using ChainBridge v1/v2 in production.
Primarily, the change introduced an additional check to ensure that only the owner of the token would be allowed to burn the NFT. Additional information can be found in PR #614.
Patches for older versions:
If you are a team who is building with ChainBridge and require more information or support on addressing this vulnerability, please reach out via email (security [at] chainsafe [dot] io) or via Discord (#chainbridge-support).
We apologize for any inconvenience this may have caused, but we are thankful for having strong auditors in the community like Haechi to work with. We will continue to provide updates via Discord, Medium, and Twitter should there be any further developments.
ChainSafe is a leading blockchain research and development firm specializing in infrastructure solutions for web3. Alongside its contributions to major ecosystems such as Ethereum, Polkadot, Filecoin, Mina, and more, ChainSafe creates solutions for developers and teams across the web3 space utilizing our expertise in gaming, bridging, NFTs and decentralized storage.
As part of its mission to build innovative products for users and improved tooling for developers, ChainSafe embodies an open source and community-oriented ethos to advance the future of the internet. To learn more, click here.