Meter (Passport Bridge): Deposit method calldata bypass — unwrapped native token assumption not enforced in secondary deposit path
Meter's ChainBridge fork had two deposit entry points but only one validated the calldata amount against actual funds deposited, letting an attacker mint arbitrary wrapped tokens and drain $4.4M — with $3.3M more lost as collateral damage at Hundred Finance.
Summary #
Meter (Passport Bridge) suffered a Cross-Chain Bridge on 2022-02-05, resulting in a loss of approximately $8M.
What happened #
Meter's ChainBridge fork had two deposit entry points but only one validated the calldata amount against actual funds deposited, letting an attacker mint arbitrary wrapped tokens and drain $4.4M — with $3.3M more lost as collateral damage at Hundred Finance.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (the Meter-specific ERC20 Handler modification)]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y (indirect) — Hundred Finance collateral damage enabled because Chainlink oracle price diverged from local manipulated BNB.bsc price on Moo...]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — ChainSafe ChainBridge fork with custom modifications]