20 million OP tokens stolen key: transaction replay

background

On June 9, Optimism and Wintermute both released announcements, disclosing to the community an incident of the loss of 20 million OP tokens. Optimism has commissioned Wintermute to provide liquidity services for OP in the secondary market, and will provide Wintermute with 20 million OP tokens. In order to receive this token, Wintermute gave Optimism a multi-signature address, and after Optimism test sent two transactions and Wintermute confirmed it was correct, Optimism transferred 20 million OPs to this address. After Optimism transferred the coins, Wintermute found that they had no way to control these coins, because the multi-signature addresses they provided were only deployed on the Ethereum mainnet for the time being, and had not yet been deployed to the Optimism network. Wintermute immediately launched a remediation operation, but attackers already noticed the vulnerability and deployed multi-signature to this address on the Optimism network before Wintermute, successfully taking control of the 20 million tokens. So the question is, why does this loophole occur?

Pre-knowledge

First, it is necessary to determine whether the transaction signature conforms to the [EIP155] standard. The signature conforming to the [EIP155] standard will hash 9 RLP encoded elements (nonce, gasprice, gas, to, value, data, chainid, 0, 0), where The chainid is included, so the [EIP155] compliant signature v value is {0,1} + chainid * 2 + 35. For a signature that does not conform to the [EIP155] standard, it only hashes 6 elements (nonce, gasprice, gas, to, value, data), so the value of v after the signature is {0,1} + 27. Different chains will be defined with different chainids, and different chainids will get different v values. According to ECDSA, we know that when the value of v is different, even if the values ​​of r and s are the same, the public key restored by the signature is also different. Therefore, transactions that conform to the [EIP155] standard cannot be successfully replayed on other chains.

It is worth mentioning that [EIP2718] implemented in the Ethereum London upgrade introduced a new transaction format 0x02 || RLP([chain_id, nonce, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, destination, amount, data, access_list, signature_y_parity, signature_r, signature_s]), the chainid is encoded separately and is not included in the signature v value. The signature v value is only used as a simple parity bit, so the v value obtained by the current transaction signature becomes 0 or 1.

transaction replay

After we understand the above transaction signature structure, we can clearly know that the signature v value of 27 or 28 can be replayed on different chains. So how to replay on different chains? This is no different from sending a transaction, just send the original transaction content on other chains.

Take Wintermute’s 20 million OP token theft incident as an example. In this incident, the attacker replayed the transaction of Gnosis Safe’s deployment of the Factory contract. Here we try to replay Gnosis Safe Deployer 3 transactions with a nonce of 3.

A simpler way is to first get the raw transaction through Etherscan:

0

Then directly through Optimistic’s eth_sendRawTransaction [RPC]

(https://eth.wiki/json-rpc/API) interface to send.

If the original transaction content cannot be directly obtained, we can first pass eth_getTransactionByHash

[RPC](https://eth.wiki/json-rpc/API) interface to get transaction content.

0

Then perform RLP encoding on the transaction content to obtain the original transaction content:

0

Then pass Optimistic’s eth_sendRawTransaction [RPC]

(https://eth.wiki/json-rpc/API) interface to send.

0

0

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/20-million-op-tokens-stolen-key-transaction-replay/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-06-10 11:32
Next 2022-06-10 11:34

Related articles