Libra-associated Sui blockchain addresses significant vulnerability that endangered ‘billions’

The Sui blockchain network discreetly resolved a vulnerability that could have endangered “billions of dollars,” as stated in a May 16 announcement from Zellic, the security firm engaged to assess the network’s security.

Loss of Funds Bug in Aptos and Sui
A brief overview of an unpublished (but resolved) loss-of-funds vulnerability in the move verifier that appears to have been identified by @zellic_io.
This could have enabled various types of exploits against protocols based on Aptos or Sui.

— Jasper | Neodyme (@JasperCPS) April 11, 2023

The vulnerability was located in a dependency of the bytecode verifier, which ensures that the human-readable Move language utilized for writing smart contracts on Sui is accurately converted into machine code during deployment. If left unaddressed, the flaw could have “permitted attackers to circumvent multiple security properties, resulting in potentially substantial financial losses,” the announcement indicated.

As per the announcement, Sui developer Mysten Labs rectified the issue on March 30, in commit 8bddbe65, after being alerted to its presence by Zellic. The flaw may have also existed in other Move-based networks, such as Aptos and Starcoin. The Aptos variant of the vulnerability was resolved with a patch on April 10, according to the Zellic team.

In a discussion with Cointelegraph, a representative from the Move-based 0L network mentioned that the bug does not impact its version of Move. On May 15, 0L implemented a series of tests on their GitHub, claiming these demonstrate that the exploit is not feasible on the 0L version.

Cointelegraph contacted Aptos and Starcoin for comments but did not receive a response by the time of publication.

A blockchain network created by Mysten Labs, Sui was established by former engineers from Meta Platforms. It is a fork of the open-source Libra project initiated by Facebook’s parent company, Meta. Libra was discontinued in 2019.

Some developers prefer the Move smart contract language due to its security features that specifically enhance blockchain functionality. For instance, it enables developers to create custom data types, including a “coin” type that cannot be duplicated or erased.

Related: Justin Sun issues apology after Sui LaunchPool clashes with Binance CEO

Similar to other blockchain networks, Sui does not retain code in the same language it is authored in. Instead, it translates this code from the network’s human-readable language to machine-readable bytecode.

During this translation process, Sui conducts a series of verifications to ensure the converted code adheres to the network’s security properties. For example, it verifies that coins cannot be deleted or duplicated.

According to Zellic’s explanatory blog post, it was commissioned by Mysten Labs to perform a security evaluation of this verifier program. It did not identify a flaw in the verifier itself. However, it discovered a bug in the “Control Flow Graph” or “CFG” file that the verifier utilizes to perform many of its functions. Due to its construction, the CFG could permit certain lines of code to be concealed from the verifier, enabling code that breaches the network’s security principles to be stored and executed without detection.

In its explanation, the team noted that the most apparent method this vulnerability could have been exploited is through malicious borrowers taking out flash loans. When flash loans are executed on Move-based networks, the loan protocol typically provides the borrower with an asset that cannot be deleted. If the borrower is able to delete this asset, they “could successfully take out a flash loan and not repay the borrowed funds,” the team explained. Other forms of exploits could also have been feasible since the vulnerability allowed for violations of the fundamental principles of Move security. It, therefore, “[placed] potentially billions of dollars at risk,” the security firm stated in its post.

Move-based networks and their applications have been gaining attention in the fundraising arena recently. A Sui-based decentralized exchange named Cetus raised over $6 million in just one minute on May 8. The organization behind Aptos also secured over $150 million in July 2022.