Summary
Vega's validators able to submit duplicate transactions
A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge.
Despite this exploit requiring access to a validator's Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.
The steps to carry out this exploit are as follows:
- Cause an Ethereum event on one of the bridge contracts e.g a deposit to the collateral bridge, or the staking bridge
- This will result in the Ethereum-event-forwarder of each node to submit a ChainEvent transaction to the Vega network corresponding to that event
- Scrape the valid chain event transaction from the Tendermint block data using a node’s Tendermint API
- Change the value of the
txIdfield of the ChainEvent to any valid, but different, value - Bundle the tweaked ChainEvent into a new transaction, sign it with a validator key and resubmit to the Vega network
- The fraudulent ChainEvent will be processed by Vega as if it were a new ChainEvent even though it did not occur on Ethereum
The key to this exploit is in step 4. The txId field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the txId of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.
Workarounds
No work around known, however there are mitigations in place should this vulnerability be exploited:
- there are monitoring alerts, for
mainnet1, in place to identify any issues of this nature including this vulnerability being exploited - the validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited
References
N/A
Impact
The impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:
| Chain Event | Allows | Consequence |
|---|---|---|
| Deposit | Generation of unlimited funds of any asset | Withdrawal of all assets |
| Stake Deposit | Delegate unlimited Vega to a single node | A single node has controlling amount of voting power |
| Stake Removed | Force a Validator node to drop below self-stake requirements | Prevents reward payouts |
| Bridge Stop | The Vega network to think the bridge is stopped | Prevent anyone from withdrawing funds |
| Signer Removed | The Vega network to think a validator nodes is not on the multisig contract | Prevent reward payouts |
The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.
CVE-2023-35163 has a CVSS score of 6.0 (Medium). The vector is requires physical access, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.71.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
v0.71.6
Frequently Asked Questions
- What is CVE-2023-35163? CVE-2023-35163 is a medium-severity improper input validation vulnerability in code.vegaprotocol.io/vega (go), affecting versions < 0.71.6. It is fixed in 0.71.6. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
- How severe is CVE-2023-35163? CVE-2023-35163 has a CVSS score of 6.0 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of code.vegaprotocol.io/vega are affected by CVE-2023-35163? code.vegaprotocol.io/vega (go) versions < 0.71.6 is affected.
- Is there a fix for CVE-2023-35163? Yes. CVE-2023-35163 is fixed in 0.71.6. Upgrade to this version or later.
- Is CVE-2023-35163 exploitable, and should I be worried? Whether CVE-2023-35163 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-35163 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-35163? Upgrade
code.vegaprotocol.io/vegato 0.71.6 or later.