How a smart contract vulnerability was discovered and fixed

As you guys know, the Incognito network is in active development – a combined effort from the core dev team, a growing community, as well as external contributors. As we continually push upgrades and fixes, we’ll also be keeping you guys in the loop so we can all have a clearer picture of how the network as a whole is getting stronger.

Last Friday (2020/09/25), Incognito paused shield and unshield functions for ETH/ERC20 after identifying a smart contract bug. Here’s a breakdown of what happened, and what we did to address it.

How did we find it?

An external smart contract auditor samczsun found an issue with the Incognito contract, and asked a core team member to prove contract ownership before disclosing the issue. We’d like to express our thanks to samczsun for his professionalism and carefulness in making sure the issue was not disclosed to a dishonest party.

A core team developer sent the auditor a transaction signed by the Incognito contract admin. The transaction memo contained the developer’s telegram id in order for the auditor to trust that he was talking to the right person. The auditor pointed out the vulnerable contract code to the developer, and the core development team confirmed the bug. The contract was then paused.

What was the bug?

The bug came from the executeMulti function. Basically, the function allows the user to call a function from another contract with passed params on multiple tokens in the same call. It differentiates from the execute function by only accepting a single token.

Unfortunately, the executeMulti function was lacking logic to validate for token duplication, potentially allowing one to build a custom exchange and duplicate entries to double spend currency.

How did we fix it?

The core team reviewed the contract and realized that the executeMulti function was extraneous and therefore safe to remove from the contract. We believe that this was the safest and fastest way to solve the problem. The fix was deployed to the new contract within the same hour of bug confirmation, and tokens were moved to the new contract successfully.

What’s next?

We call on everyone who is able and willing to help make Incognito as safe and robust as it can be. The core team kickstarted the network and has taken on the responsibility of giving it legs – but Incognito belongs to all of us, and none of us can do it alone. You don’t have to be a smart contract wizard or a cryptography expert - every bug report, new idea, or piece of relevant research is always welcome.

Thank you to everyone who works towards privacy for all.

16 Likes

Great post! I’m glad there’s someone out there that cared enough to help our project and the industry. Does incognito have a bug bounty program? Does incognito submit proposed contract upgrades to any 3rd party auditing firm before making them live?

1 Like

hey @marko, we’re considering about bug bounty program officially. There are a few things we need to figure out: issue levels (critical, major, minor, …), system types (chain, contracts, app, …), reward amounts, … especially as everything is still under heavy development so things may change continually over time.

4 Likes