Immunefi
Published in

Immunefi

Bitswift Race Condition Bugfix Review

Summary

Whitehat Yash Sodha submitted a critical vulnerability in Bitswift to Immunefi on May 9. The race condition vulnerability would have allowed a malicious user to repeatedly claim the same voucher, which entitles a user to some amount of crypto tokens. In summary, a hacker could have potentially sent high frequency claim requests in parallel to Bitswift’s claim faucet and received more crypto-assets than the hacker was entitled to. This vulnerability was not exploited. Bitswift disabled the claim faucet function and immediately worked to implement a fix. Bitswift paid a $5,710 CAD bounty to the whitehat for disclosing the vulnerability.

Vulnerability Analysis

When a user makes a voucher claim with a cryptocurrency coinid via the Bitswift web application, an HTTP POST request is made to https://bitswift.cash:8443/claim. However, a race condition exists that allows a user to send the request multiple times, and two or more of the requests for the same voucher may succeed if they were sent in parallel.

The POST is as follows:

POST /claim HTTP/1.1Host: bitswift.cash:8443Connection: keep-aliveContent-Length: 61sec-ch-ua: “Chromium”;v=”92", “ Not A;Brand”;v=”99", “Google Chrome”;v=”92"Authorization: REDACTEDsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4491.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://bitswift.cashSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://bitswift.cash/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9{“coinid”:8,”token”:”iJEUih4uihwUIheUILglrv612tf3zg5rjkqwej”}

The step by step walkthrough of this exploit is illustrated below:

1. Visit https://bitswift.cash/holdings

2. Click on claim

3. Click the claim button on any currency and intercept the request

4. Send the request multiple times using Turbo Intruder

Vulnerability Fix

Following the report, Bitswift immediately disabled the claim faucet functions and alerted its users via social media channels. Bitswift has now implemented methods to secure the faucet and claim functions in an effort to bring them back online. The rest of the platform (imports / exports / balances) remained online and functional through this time.

Bitswift remains actively engaged with Immunefi to ensure its platforms and services remain the best in its class.

Acknowledgements

We’d like to thank the Bitswift team for implementing a fix and paying out a critical-level bounty to Yash Sodha. Bitswift would like to thank Immunefi for working together to make Bitswift.cash a safer place for all users. To report additional vulnerabilities, please see Bitswift’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like Bitswift, visit the Immunefi services page and fill out the form.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.