Web3 investor and developer Jump Crypto has recently uncovered a significant vulnerability in Celer’s State Guardian Network (SGN), posing a potential threat to the network’s integrity and applications, including Celer’s cBridge.
In a detailed postmortem report, Jump Crypto revealed that a bug in the SGN EndBlocker code allowed validators to cast multiple votes on the same update. Exploiting this flaw, malicious validators could manipulate the voting process, effectively amplifying their voting power and potentially approving harmful or invalid updates. The report highlighted the issue, stating:
“The [EndBlocker] code is missing a check that prevents a validator from voting on the same update twice. A malicious validator could exploit this by voting multiple times on the same update, effectively multiplying their voting power and potentially tipping the vote in favor of an invalid or malicious update.”
Celer, a Cosmos-based blockchain facilitating cross-chain communication, underwent scrutiny from Jump Crypto after releasing portions of the off-chain SGNv2 code on GitHub. The vulnerability was privately disclosed to the protocol’s team, promptly patched, and no known malicious exploitation occurred.
According to the report, this vulnerability granted malicious validators a broad range of possibilities, including the ability to fabricate on-chain events like bridge transfers, message emissions, and staking and delegation activities within Celer’s main SGN contract.
To mitigate the impact, Celer implemented defensive measures to safeguard bridge funds. These include a delay triggered by the bridge contract for high-value transfers, a volume-control mechanism limiting the value of tokens extractable within a short timeframe, and an emergency halt of contracts in response to under-collateralization caused by malicious transfers.
Despite these safeguards, the report emphasized that the protocol remains partially vulnerable. Transaction limits apply on a per-chain and per-token basis, and given the extensive range of supported tokens and chains, an attacker could potentially extract tokens worth approximately $30 million before the contracts are halted. This represents approximately 23% of Celer’s current total value locked.
Importantly, the built-in mechanisms primarily protect Celer’s bridge contracts, leaving dApps built on top of Celer’s inter-chain messaging system fully exposed to these vulnerabilities by default.
While Celer offers a $2 million bug bounty program for vulnerabilities in its bridge, off-chain bugs such as the one discovered in the SGNv2 network are currently not covered. Jump Crypto has engaged in discussions with the protocol regarding the inclusion of the SGNv2 network in its bug bounty program, and the evaluation of a potential payout for Jump’s report is currently underway by Celer’s team.