Sui Blockchain Fixes Critical Bug Amid Security Concerns
The Sui blockchain network quietly fixed a bug that could have put “billions of dollars” at risk, according to a May 16 announcement from Zellic, the security firm hired to audit the network’s security.
The bug was located in a crucial part of the bytecode verifier that ensures the Move language – used to write smart contracts on Sui – is accurately transcribed into machine code during deployment. This serious vulnerability could have “allowed attackers to bypass multiple security properties, leading to potentially significant financial damages,” the announcement stated.
A Quiet Fix, A Major Impact
According to Zellic, the bug was rectified by Sui developer Mysten Labs on March 30, after being alerted to its existence. This bug could have potentially affected other Move-based networks such as Aptos and Starcoin, which subsequently patched the bug on April 10.
Contrarily, representatives from the Move-based 0L network confirmed that their version of Move is unaffected by the bug. This assurance was followed by a series of tests added to their GitHub on May 15 to prove the exploit is not possible on their version.
The Role of Move Language in Blockchain Security
Developed by Mysten Labs, Sui is a blockchain network founded by ex-Meta Platforms engineers. It is a fork of the open-source Libra project initiated by Facebook-parent Meta, which was discontinued in 2019.
The Move smart contract language is favored by some developers due to its tailored security features that specifically benefit blockchain networks. For instance, it allows the creation of custom data types, such as a “coin” type that cannot be duplicated or deleted.
The Vulnerability and its Potential Impact
Sui, like other blockchain networks, does not store code in the same language it’s written in. Rather, it translates the code from human-readable language to machine-readable bytecode, running a series of verifications in the process to ensure the translated code adheres to the network’s security principles.
Zellic, commissioned by Mysten Labs to conduct a security assessment of the verifier program, discovered a bug not in the verifier but in the Control Flow Graph (CFG) file used by the verifier. Due to the way the CFG was written, it could enable certain lines of code to be hidden from the verifier, allowing violations of the network’s security principles to go unnoticed.
Exploitation Risks and Financial Implications
The security firm noted that the most straightforward exploitation of this vulnerability could have been by malicious borrowers taking out flash loans. On Move-based networks, the loan protocol typically sends an undeletable asset to the borrower. If the borrower could delete this asset, they could potentially take out a flash loan without repaying the borrowed funds. Other types of exploits could also have been possible, thus “[placing] potentially billions of dollars at risk,” as per Zellic’s statement.
Despite these recent security concerns, Move-based networks and their associated applications continue to make an impact in the financial world. Sui-based decentralized exchange Cetus, for instance, raised over $6 million in just one minute on May 8. Additionally, the company behind Aptos managed to raise over $150 million in July 2022.
Conclusion: An Important Step in Blockchain Security
This recent bug fix by the Sui network underscores the importance of diligent security measures in the fast-paced world of blockchain technology. While the bug could have led to significant financial damages, swift action from Mysten Labs and Zellic ensured that this risk was mitigated. As blockchain networks continue to grow in popularity and usage, such proactive measures will be vital to ensure the security of billions of dollars in digital assets.
While the situation was resolved without any known exploits taking place, it serves as a reminder to the blockchain community about the need for ongoing security auditing and rapid response to potential vulnerabilities. This event has shown that even the most sophisticated systems can have vulnerabilities, and the importance of continuous monitoring and testing cannot be overstated.
