Olivia
Online
Phạm Tiến Minh Đức
@pmbibe
Việt Nam
Joined January 2015
1.2K Following
637 Followers
499 Posts
🚨 We analyzed a CRITICAL vulnerability in $PORT3
A perfect storm of 3 bugs allowed attackers to:
✓ Bypass authorization with EMPTY signatures
✓ Register fake chains
✓ Mint UNLIMITED tokens
✓ Drain bridge liquidity
The root cause? Owner = 0x0
What happened 🧵
🧵 Summary:
Owner = 0x0 enabled signature bypass
Invalid signatures (r=0, s=0) bypassed ecrecover
Attacker registered fake chains
Unlimited token minting occurred
Users lost millions
Thread ends here. Stay safe! 🛡️
🚨 We analyzed a CRITICAL vulnerability in $PORT3
A perfect storm of 3 bugs allowed attackers to:
✓ Bypass authorization with EMPTY signatures
✓ Register fake chains
✓ Mint UNLIMITED tokens
✓ Drain bridge liquidity
The root cause? Owner = 0x0
What happened 🧵
With fake chain registered:
tokenContracts[23] = 0x4644bbcfd26... // Attacker's contract
Now attacker can:
Forge Wormhole message from "chain 23"
Set emitter = their contract
Set amount = UNLIMITED
Call bridgeIn()
Contract mints tokens ✓
FUNDS DRAINED
The Critical Bug
Step 5 - Signature Verification
Step-By-Step Attack
Here's how it bypassed authorization:
The Attack Transaction
Here's the actual exploit transaction: https://t.co/NM5ITIC0Br
Attacker calls with:
Valid custodian (themselves)
Valid timestamp
INVALID signature (all zeros)
Transaction succeeds 🔥
Bug #2 - Empty Signature Acceptance
Result: Attacker sends 65 bytes of zeros → Accepted
Critical bug: Signature verification doesn't check for zero address
Here's the trap:
Invalid signatures return 0x0 from ecrecover
If authority = 0x0
Then: 0x0 == 0x0 → TRUE ✗
Authorization BYPASSED with invalid signature
When a non-owner wants to call sensitive functions, they must provide:
✓ Valid custodian address
✓ Non-expired timestamp
✓ VALID SIGNATURE
CATERC20 is a cross-chain token bridge using:
Wormhole for cross-chain messaging
Signature verification for governance
registerChains() to whitelist token bridges
Problem: The authorization mechanism had a critical flaw.
let’s do a quickie😈
💎 Lifetime Access to @Bheem_Lounge (worth $2,500)
Will pick anyone from likes/retweets or comment section randomly
Ends in 60 minutes, goodluck😼
$Btc Perfectly Reclaim & Retest 110.5k Level 🎯 Already Shared 🫰
That's How We Play Perfect Setup With Patience 👽
Now Flip 112k We Can Play Swing Till Ath.
bheem is happy so $1,000 USDT giveaway😗
To top it off, Lifetime Access to @Bheem_Lounge vip (worth $2,000)
https://t.co/pNwflQbzhi
Just like this tweet & join above, winner in 24h- glhf🤝
$BTC update:
>Must remain above 63.3k
>Key level 66.1k
Change in MS depending on reaction at 66.1k📌 rejection and PA similar to left shoulder or immediate reclaim depending on news day.
Right shoulder valid once 1D close below 63.3k otherwise opt for upside (my long open)
Do you want to make consistent profits each month?
Participate to win a lifetime subscription to @Bheem_Lounge worth $1500.
Still not enough? Win an additional $1000 in USDT by becoming a ByBit user: https://t.co/KiPyMNWfSY
❤️ & ♻️ to enter !!
Most Popular Users
Elon Musk 
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.2M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.4M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.5M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.2M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.5M followers