Open in app

Sign in

Write

Sign in

Addressing the Glitch Bridge Exploit

Glitch Marketing
Glitch Finance
Published in
5 min readOct 17, 2022

Hello Glitchers,

Today we share a full report about an exploit to the Glitch bridge infrastructure that occurred in August 2022. After thoroughly investigating the situation, compiling all the facts, and implementing the solution, we’re ready to explain what happened.

As we’ve seen previously, exploits are commonplace in the decentralized industry when working with experimental technology. We’ve done everything to ensure that the proper security measures, like new operational procedures and increased encryption, have been added throughout the past few weeks. Let’s discuss the issue, the solution, the lessons learned, and the path forward.

The Issue

In August, an attacker exploited the Glitch bridge. This person(s) was able to execute an SSH brute force to obtain non-authorized super admin access to the servers on the backend running the code. Once they got access to the server, they could complete non-authorized transactions. A community member identified the attack as it happened and immediately escalated it to the team. Once the development team verified the issue, a fix was worked on and then implemented. Here are the high-level steps of how the attacker passed through the system.

First, the attacker created a request swap with a small amount of GLCH tokens which was less than the wallet’s balance. A scan of the transaction was executed and then stored in the database. The attacker then used SSH brute force on the server and minted a specific number of GLCH, so the minter contract was compromised. They then completed a swap from ETH to BSC. They also changed the number of tokens minted initially to avoid detection. Once the transaction was filled on BSC, they transferred the tokens to the other addresses, and sold tokens, but burned 950K GLCH.

Let’s clear up the total number of tokens and the status around this:

  • GLCH total supply: 88,888,888 GLCH
  • Total minted tokens in exploit: 1,441,044.056 GLCH
  • Total tokens burned by attacker: 950,000 GLCH
  • Total minted tokens remaining: 491,044.0563 GLCH
  • Current non-native GLCH total supply: 89,379,932.05 GLCH

So, who was the attacker? Have we identified them? We compiled a list of wallets used by the person and the deposits made to the exchange. The addresses showcase how the person distributed funds to different wallets. We believe there are two individuals involved; however, we’re on to one of them.

Glitch wallets:

  • 0x3121f160529766392a12f385d1fa908cdb2158b6
  • 0x1a065f5a88f05cd9ace52a08b7a72ceb6f902105

Attacker wallet addresses:

  • 0x9ddabe367341aa8145f237be058cd4f332aea2e0
  • 0xfe0fde87a2e07086f94c6157b57b0a047d2f973d
  • 0xc295eee1b7386bf63b63d5373e7bcce6f03aec80
  • 0x0a8c8effba64938ae4967b0efba93a2ea7cfc8ad
  • 0x06c51040a6ac820851c05b3833c595ea86eb709e
  • 0x01977ec1d1179aeff5c02b1d92c9a9f0133e0f1e

Attacker final deposits:

  • 0x4fdBF85903ca4A52623565726ea4869A6f2B8029
  • 0x6Bf18BaF7819Bd6232879d1cef883cAf2DCF7e95

The attacker deposited tokens to a specific exchange allowing us to track them down. Since the exchange requires KYC, we have contacted them to pursue legal action against the attacker unless the tokens are returned, explained below. We’re glad that the exchange in question will cooperate with our efforts.

What will the team do about the 491K GLCH tokens? We’re still assessing options (including a token burn); however, we have decided to allow the attacker to return the GLCH to the address “0xDc665d2Bce36fb729CEf265c4CF13661f511F552”, or the total value in USDT of $35,000 by midnight October 21st, 2022, for legal de-escalation. The migration to the network’s standard will occur in the near future and when the migration takes place, the genesis block will mint all nGLCH tokens on the Glitch blockchain and give everyone participating their equivalent in nGLCH based on a snapshot of the other chain. In the end, the total supply shall remain at 88.88M nGLCH tokens, confirming a hard cap on the total supply.

Let’s discuss the solution implemented after the development team identified the exploit.

The Solution

Once the team discovered the exploit, we quickly shut down the bridge and closed access to all involved servers. We began investigating the code for malicious backdoors. We built a tool to take an algorithmic approach, allowing us to understand the issue better. The tool showed us the bigger picture and helped us find the attacker.

Since the occurrence, the team has finalized and implemented a solution. We’ve transferred balances and switched out all of the bridge hot wallets to new ones across both networks. All servers are now secured using new security practices while also implementing new operational procedures on the administration side of the organization. We have reconfigured the service, closed it, and implemented an SOP to only be open via whitelisting on a different port that is more secure and available only when maintenance is required. We plan to look into different options to integrate and prevent these issues from happening beyond internal protocols and measures.

The Lesson

“Some lessons can’t be taught. They simply have to be learned.”

Security must always be a priority. While we do our best to maintain maximum security practices, we will admit that the development team did not properly secure the server. We have developed and implemented different protocols and new operational procedures. With this in mind, it’s critical that we review user access levels, perform deeper due diligence with authentications, and execute proper maintenance of existing code and infrastructure. We must continually check previous actions performed over the months and years to ensure that all remains in order. And we plan to complete a contract security audit for the network to help bring that trust back.

Moving Forward

In all, smart contracts and crypto infrastructure are experimental technologies that will require upgrades, maintenance, and innovation to strengthen them. It’s human to make mistakes, but we stood up, owned it, and began implementing solutions that work. We hope you see the big picture in a world with evolving technology. No team operates perfectly, but we can strive to be as we continue to grow together.

The Glitch Bridge has been fixed, improved upon, redeployed, and is online to use. Click here to visit the Glitch Bridge. Please contact us on the official Discord support channel if further help is needed.

With the bridge situation behind us, we move forward to building out the mainnet. We recently completed Phase III: Von Hayek and announced Phase IV: Bellerophon roadmap breakdown. The upcoming mainnet phase encompasses network upgrades like substrate-based smart contracts and revenue-sharing MVP so developers can begin to launch their dApps and migrate their EVM contracts onto GLITCH.

Thank you to all of our supporters. Let’s continue focusing on building an impactful layer-one blockchain that strives to lead the decentralized money market ecosystem.

Join us on our journey — It’s just getting warmed up.

– Team Glitch

About Glitch

GLITCH is a blockchain-agnostic super protocol explicitly designed for trustless money markets and decentralized financial applications (dApps). GLITCH solves the expensive fee structure of other blockchain platforms while simultaneously rewarding all ecosystem participants and guaranteeing low network fees through a unique revenue-sharing model. Glitch plans to incorporate token wrapping bridges, where dApps can run more efficiently, all in service of Glitch’s ultimate goal: to become a cornerstone of blockchain infrastructure.

Website | Twitter | Discord | Telegram | Whitepaper

Glitch Update
Bridge
Blockchain

--

--

Glitch Marketing
Glitch Finance

Written by Glitch Marketing

411 Followers
Editor for

Supporting mass adoption with a blockchain-agnostic, highly scalable, and purpose-built DeFi ecosystem that rewards all participants. Join our journey.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams