In April 2024, two critical Sei vulnerabilities were discovered by the researcher and reported in Sei Network’s layer-1 blockchain, resulting in bug bounty of $75,000 and $2,000,000 from the Sei Foundation. These vulnerabilities, one affecting chain availability and the other its integrity, were identified post-audit but pre-release, ensuring no funds were at risk.
Issue 1: Chain Halting Bug
The first bug had the potential to halt the chain due to a panic in the ABCI EndBlockers. The Sei Network, built on the Cosmos SDK with a customized tendermint fork, handles transactions within a recovery loop to manage errors. However, the ABCI methods, by default, don’t run in this loop. The vulnerable code attempted to transfer funds from a “coinbase address,” but due to locked funds, the transfer would fail, triggering a panic and halting the chain. The fix involved replacing the GetBalance call with SpendableCoins.
Timeline for Issue 1:
- April 22, 2024: Report created
- April 23, 2024: Bug fixed and confirmed
- April 24, 2024: $75,000 reward issued
Issue 2: Fund Transfer Exploit
The second bug allowed unauthorized fund transfers due to negative balance handling in Sei’s integration of the Ethereum Virtual Machine (EVM). By sending a negative value through an internal EVM message (MsgInternalEVMCall), an attacker could siphon funds from any account, risking the entire market cap of Sei tokens. The exploit could escalate to taking over the validator set by draining the bonded token pool.
Timeline for Issue 2:
- April 23, 2024: Report created
- April 24, 2024: Bug fixed and confirmed
- May 22, 2024: $2,000,000 reward issued
The Sei Foundation’s proactive bug bounty program and swift response prevented potential exploitation, demonstrating their commitment to security. These bugs, surviving multiple reviews, underscore the importance of continuous security efforts in blockchain development.