Not a $320 million theft, but still, that’s more than a protocol can afford to lose
Another DeFi-related project by the name of MeterIO was hacked, facing a loss of $4.3 million, which could be worth more by press time due to increased volatility on the cryptocurrency market. Hackers stole 1,391 ETH and 2.7 BTC.
Technical explanation of the hack
Meter replicates the ChainSwap cross-chain hub technology quite well, or is simply a fork of it. But the main difference introduced by Meter developers is the change of deposit method of ERC20 manager.
The change assumes that the bridged token, which is a wrapped Native token, will not be burned or locked since the wrapped Native token is already unwrapped. The mentioned line of the code assumes that the bridged token is a wrapped Native token, so that it should not be burned or locked.
The assumption would have worked as expected for only one of the deposit methods, but it does not work correctly for another down payment method in the contract on the WETH deposit address.
The hacker has noticed the inconvenience in the contract and has sent the needed amount in calldata and taken control of funds that he or she should not have had.
Trans-chain bridges suffer
Meter’s case is not the first in the cross-chain industry with one of the largest Solana-Ethereum bridges facing a vulnerability that results in a loss of $320 worth of cryptocurrency.
Reportedly, the Wormhole’s issues were tied to the underlying bug in Solana’s core, which has been fixed in version 1.9. But since some contracts were running on older versions of the network, hackers were able to exploit the bug and steal users’ funds, which were later refunded by investors at a 1:1 rate.
