Libra-related Sui blockchain fixes critical flaw that puts “billions” at risk

The Sui blockchain network quietly fixed a bug that could have put “billions of dollars” at risk, according to a May 16 announcement from Zellic, the security firm hired to audit the network’s security.

The flaw was in a dependency on the bytecode verifier, which ensures that the human-readable Move language used to write smart contracts on Sui is correctly transcribed into machine code during deployment. Had the flaw not been patched, it could have “allowed attackers to bypass multiple security features, leading to potentially significant financial damages,” the announcement said.

According to the announcement, Sui developer Mysten Labs fixed the bug on March 30, in commit 8bddbe65, after Zellic informed them of its existence. The bug may have also been present in other Move-based networks, including Aptos and Starcoin. The Aptos version of the bug was eliminated with an update on April 10, according to the Zellic team.

Speaking to Cointelegraph, a representative from the Move-based 0L network stated that the bug does not affect the version of Move. On May 15, 0L added a series of tests to GitHub, which it says prove the exploit is not possible on the 0L version.

Cointelegraph contacted Aptos and Starcoin for comment, but did not receive a response by the time of publication.

A blockchain network developed by Mysten Labs, Sui was founded by former Meta Platforms engineers. It is a fork of the open source Libra project created by Facebook parent Meta. Libra was shut down in 2019.

Some developers prefer the Move smart contract language because its security features specifically benefit blockchains. For example, it allows developers to create custom data types, including a “coin” type that cannot be copied or deleted.

Related: Justin Sun apologizes after Sui LaunchPool clashed with Binance CEO

Like other blockchain networks, Sui does not store code in the same language it is written in. Instead, it converts this code from the network’s human-readable language into machine-readable bytecode.

By creating this translation, Sui runs a series of verifications to ensure that the translated code does not violate the security properties of the network. For example, it ensures that coins cannot be deleted or copied.

According to Zellic’s explanatory blog post, it was hired by Mysten Labs to do a security assessment of this verifier. It found no errors in the verifier itself. However, it found an error in the “Control Flow Graph” or “CFG” file that the verifier uses to perform many of its tasks. Because of how it was written, CFG could allow certain lines of code to be hidden from the verifier, allowing code that violates network security principles to be stored and executed without being caught.

In its explanation, the team stated that the most obvious way this vulnerability could have been exploited is by malicious borrowers taking out flash loans. When flash loans are implemented on Move-based networks, the loan protocol typically sends the borrower an asset that cannot be deleted. If the borrower can write off this asset, they “can successfully take out a flash loan and not pay back the borrowed funds,” the team said. Other types of exploits could also be possible since the vulnerability allowed the fundamental principles of Move security to be breached. That is why “[placed] potentially billions of dollars at risk,” the security firm stated in its post.

Move-based networks and their apps have been making waves in the fundraising world lately. A Sui-based decentralized exchange called Cetus raised over $6 million in one minute on May 8. The company behind Aptos also raised over $150 million in July 2022.