GIP-31: Should Gnosis Chain perform a Hardfork to upgrade the token contract vulnerable to the reentrancy attack?

GnosisDAO · March 18, 2022, 4:42pm

GIP-31: Should Gnosis Chain perform a Hardfork to upgrade the token contract vulnerable to the reentrancy attack?

Let’s do this!
Make no changes

0 voters

GIP: 31
title: Should Gnosis Chain perform a Hardfork to upgrade the token contract vulnerable to the reentrancy attack?

author: GnosisDAO
status: Draft
type:  Meta
created: 2022/03/17

On 15th March 2022 tokens bridged with the OmniBridge were used in attacks on the Agave and Hundred Finance protocols on the Gnosis Chain.

Technical Background

The Omnibridge inherited functionality from the original version of the TokenBridge, using the ERC677 extension for the token contract to simplify the UX. ERC677-compatible tokens are bridged using the transferAndCall invocation rather than a sequence of approve and transferFrom calls.

This behavior was extended to the transfer method to accommodate users accidentally calling transfer rather than transferAndCall when bridging tokens. When called, tokens are bridged instead of locked in the bridge contract.

The behavior to execute a call after a transfer opened the door to potential reentrancy attacks.

An audit on 9 November, 2020 revealed an incompatibility with the ERC20 standard, and the callAfterTransfer method was modified to fix the issue.

However, this new implementation could not be used for previously bridged tokens since the token contracts are not upgradable. Although a proxy template was used by the bridged tokens to reduce gas usage for the tx executing the very first token transfer, the upgradability functionality was not implemented for security reasons.

Prior to the new implementation, 517 tokens had already been bridged to the Gnosis Chain including WETH, USDC, GNO, LINK, WBTC, and many others.

Both protocols, Agave and Hundred Finance, forks of AAVE and Compound used a forked codebase prone to reentrancy attacks enabled on token transfers.

Possible Solutions

For the 517 tokens - as the tokens are not upgradable by design - there are three options:

Do nothing - but make everyone very aware that the tokens have this callback functionality. This will likely mean that many contracts that are safe to use on mainnet are not necessarily safe to use on GC in case they are prone to reentrancy attacks on token transfers. We don’t see this as a viable solution as we want developers to easily port applications to Gnosis Chain without modifying code.
Promoting an optional migration to tokens without this functionality. E.g. there could be a wrapper token of all tokens affected without the callback. DeFi protocols would be advised to use the wrapped tokens if they are not sure that their contracts are reentrancy safe. We don’t see this solution as optimal as it requires additional wrapping of tokens disrupting the user experience. Some tokens, like GNO, are locked for a long time and won’t be converted anytime soon.
A hardfork of the chain that could replace the bytecode of those tokens in a way that removes the callback. A primary concern would be that this hard fork would not affect anyone negatively potentially relying on this extra functionality. We did investigate this issue and found only one project (HOPR) was affected by this issue.

Based on this analysis we advocate for a hardfork of Gnosis Chain as it allows the least disruptive experience for users and developers.
Hardfork Specification
The hard fork assumes to update Gnosis Chain spec file (explicitly or through node upgrading with the new internal spec) on all nodes and upgrade the nodes themselves to the new version supporting dao-like hard forks.

Majority of the nodes must be upgraded before the hard fork block defined in the spec.

The spec file would contain the new instruction in engine.authorityRound.params section. Example:

rewriteBytecode: {
    "21300000": {
        "0x1234000000000000000000000000000000000001": "0xbytecode1...",
        "0x1234000000000000000000000000000000000002": "0xbytecode2..."
    }
}

It defines the block number at which the bytecodes should be rewritten for the specified contracts (can be more than one per block).

The rewriteBytecode option can have multiple blocks (for possible future similar hard forks), e.g.:

rewriteBytecode: {
    "21300000": {
        "0x1234000000000000000000000000000000000001": "0xbytecode1...",
        "0x1234000000000000000000000000000000000002": "0xbytecode2..."
    },
    "22200000": {
        "0x1234000000000000000000000000000000000003": "0xbytecode3...",
        "0x1234000000000000000000000000000000000004": "0xbytecode4..."
    }
}

mkoeppelmann · March 18, 2022, 5:01pm

I just want to clarify: this proposal would signal the support of GnosisDAO for the hardfork - ultimately a hardfork (without chain split) can only be made by all stakeholders participating. GnosisDAO is only one out of many stakeholders of GnosisChain.

meh · March 18, 2022, 8:02pm

Hardfork makes sense. Not doing anything will lead to less devs building on Gnosis and doing an optional migration wrapping all tokens is just messy and a pain in the ass tbh.

Would hope the hardfork is passed and a following proposal to reimburse the users who lost ~10M due to this design flaw is passed to reestablish trust in the community.

notanurse · March 18, 2022, 10:23pm

Keeping these tokens around in their current incarnation is extremely dangerous. I think the hardfork is the best available long-term option; this is a fantastic chain with huge long term potential and if we don’t do the hard work now to remedy this blunder, we’re really shooting ourselves to ever compete against the other ETH alternatives down the road.

itsencrypted · March 19, 2022, 6:04am

Hey @mkoeppelmann … could you give us an idea of market value of the 517 tokens??
How much do they represente in % value and USD value of the total amount currently at GC?

By reading the current thread I understand they would pose significant problems to the future of Gnosis Chain signaling that nodes should agree to a hard fork as the only alternative.

Kastormagic · March 19, 2022, 7:47am

A hardfork seems to be the best solution if we want to bring back confidence.

Havenmeester19 · March 19, 2022, 2:04pm

If we put this in a greater perspective its the question if we draw a line here for making hardforks on Gnosis chain now and in the future.
In short term this will maybe bring back confidence but on long term it isnt, because we could see more and more potential hardforks, which is not in line with a stable network.
Maybe something to think about.

SCBuergel · March 19, 2022, 4:22pm

Hi frens

First of all thanks for this initiative to make GC better & safer!

I’m founder of HOPR - our community and HOPR Association have currently collectively deployed over 17% of our circulating supply on GC so we are deeply committed to GC and the health of the entire ecosystem while also having significant funds at stake ourselves.

The main net HOPR token is an ERC777 token and our protocol is leveraging 777-specific features in our payment channel infrastructure. It was therefore a bit a pity when we found out that the bridged tokens are 677 by default. Since we did not want to modify our (audited) protocol implementation, we deployed a wrapper contract and UI to turn the 677 into 777 tokens that can be used in our protocol and other infrastructure such as the HOPR staking program. We took quite some effort to make sure both setups are secure. To highlight how non-trivial re-entrancy is for these types of implementations even in popular libraries, our auditors at ChainSecurity identified a re-entrancy vector in the OpenZeppelin 777 implementation while auditing HOPR code. The issues were resolved in the meantime.

In order to assess the potential implications of the described hard fork, we would like to review the proposed implementation. The indications in the OP are somewhat vague and even if the changes are minimal, we would want to make sure that there are no ambiguities and all aspects can be considered. Thus my second concern is the timeline: We cannot assess the implications before seeing the proposed implementation implementation and even though we are happy to deploy maximal engineering resources at this emergency situation, the timeline of currently 6 more days is too short to make an educated assessment - let alone an audit.

Overall it has to be highlighted that this rushed fork proposal to protect protocols which did not sufficiently consider the security implications of a GC deployment is putting other projects like HOPR at risk who were deploying a variety of contracts and tools on top of Gnosis Chain. The worst case damage is that most of the HOPR tokens on GC are locked (detailed assessment is pending a proposed implementation and is probably not (that) dramatic).

IMO, reliability of infrastructure should have higher priority than forking in favor of unknown potential further funds at risk. This view might change if we know that there are additional projects at imminent risk - but even than I’d prefer a whitehat attack over a rushed fork that puts other projects at risk.

In summary, until I see an implementation and had a at least 3 days to review our own code base I’m against the proposed fork.

refri · March 20, 2022, 4:45pm

Agree that there is no need to rush…there might be other possibilities for the affected protocols to cope with the token design till we make a fork. But cause major tokens on GC are affected I still believe the fork is the best solution.

yddar · March 20, 2022, 7:24pm

Well, the number #8 and #9 TVL projects on the whole chain were drained and they were forks of the most battle tested lending platforms across the entire defi ecosystem…

Expecting projects to do many month chain specific audits going forward is not going to work. People will just go elsewhere.

I think XDAI has great heritage, great brand (even more with the Gnosis team now), and has a real chance of being a critical long-term counterpart to Ethereum. However, if we can’t find a way to make users of these platforms whole and address this issue going forward so other platforms feel it’s safe to deploy here, we’re going to be a zombie chain.

We don’t need to rush a hardfork, but we should get our messaging straight and soon.

I’ve always considered and recommended XDAI as the single safest ethereum sidechain – while we sit in limbo like this, myself and others are avoiding the whole chain.

Wunderbernd · March 21, 2022, 7:05pm

Gnosis chain is supposed to be the canary chain for ETH. If you don’t use the same standards as ETH, the whole use case becomes useless. Why should ETH protocols deploy on Gnosis chain if they don’t have the same functionality and they have to implement additional audits/checks of the code?

They already changed the token standard for the new tokens, this didn’t seem to be a problem? So like 50-60 tokens can have the new standard without a problem, but if all the tokens have the standard it becomes a huge issue?

The way I look at it, the best solution would be a fork. This would reduce the differences between GC and ETH and make it more attractive for more protocols to deploy on GC. In the end the decision is between opening up the chain/ making it more attractive for new protocols or keeping the niche functionality/ a different purpose for the chain.

Wunderbernd · March 21, 2022, 8:10pm

I also want people to consider the following:

The token standard is relatively old, at the time of the implementation not many people thought something like this is possible. So this opens the following questions:

Is every protocol aware of the different token standard?
Do they have reentry checks in place?
Do they have standard reentry checks in place and do these cover the token standard?

I doubt anyone can answer these questions, this can cause a lot of uncertainty for users. We can’t make sure that protocols have these checks in place and we can’t expect users to be able to verify. So it would be the best for the vast majority if we close a potential attack vector.

SCBuergel · March 25, 2022, 9:04pm

I agree that it is ideal to have the same tokens on GC as on main net. But what is that token standard? We’re long past every token being just ERC20 - at HOPR we’re having an ERC777 which we very actively use as such. The number of token standards is growing almost weekly and there are a number of good reasons for using some specific one of the various “standards”.

So the actual holy grail would be a “bring your own token” bridge which AFAIK is not possible. That means we have to make a compromise and settle on some greatest common denominator. Probably that is indeed a plain vanilla ERC20. But that keeps innovation back, approve + transferFrom hell until the end of times and nobody can have anything else than plain vanilla ERC20 or go through a fairly annoying wrapper setup similar to what we set up for xHOPR and wxHOPR.

All that is to say that the argument of having a fork in order to be compatible with main net is not really a strong one.

SCBuergel · March 25, 2022, 9:07pm

The voting period is over and we still don’t have a release candidate of the new token implementation. Please provide this ASAP so that the community can start reviewing if / what contracts would break with the proposed fork.

mkoeppelmann · March 31, 2022, 2:31pm

The exact thing we are doing is:
replacing the bytecode of: Contract 0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9 - Gnosis Chain Explorer

which is currently:

0x6080604052600436106101b65763ffffffff7c010000000000000000000000000000000000000000000000000000000060003504166305d2035b81146101bb57806306fdde03146101e4578063095ea7b31461026e5780630b26cf661461029257806318160ddd146102b557806323b872dd146102dc57806330adf81f14610306578063313ce5671461031b5780633644e51514610346578063395093511461035b5780634000aea01461037f57806340c10f19146103b057806342966c68146103d457806354fd4d50146103ec578063661884631461040157806369ffa08a1461042557806370a082311461044c578063715018a61461046d578063726600ce146104825780637d64bcb4146104a35780637ecebe00146104b8578063859ba28c146104d95780638da5cb5b1461051a5780638fcbaf0c1461054b57806395d89b4114610589578063a457c2d71461059e578063a9059cbb146105c2578063b753a98c146105e6578063bb35783b1461060a578063cd59658314610634578063d73dd62314610649578063dd62ed3e1461066d578063f2d5d56b14610694578063f2fde38b146106b8578063ff9e884d146106d9575b600080fd5b3480156101c757600080fd5b506101d0610700565b604080519115158252519081900360200190f35b3480156101f057600080fd5b506101f9610721565b6040805160208082528351818301528351919283929083019185019080838360005b8381101561023357818101518382015260200161021b565b50505050905090810190601f1680156102605780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b34801561027a57600080fd5b506101d0600160a060020a03600435166024356107af565b34801561029e57600080fd5b506102b3600160a060020a0360043516610803565b005b3480156102c157600080fd5b506102ca61085d565b60408051918252519081900360200190f35b3480156102e857600080fd5b506101d0600160a060020a0360043581169060243516604435610863565b34801561031257600080fd5b506102ca610a32565b34801561032757600080fd5b50610330610a56565b6040805160ff9092168252519081900360200190f35b34801561035257600080fd5b506102ca610a5f565b34801561036757600080fd5b506101d0600160a060020a0360043516602435610a65565b34801561038b57600080fd5b506101d060048035600160a060020a0316906024803591604435918201910135610a78565b3480156103bc57600080fd5b506101d0600160a060020a0360043516602435610b89565b3480156103e057600080fd5b506102b3600435610c94565b3480156103f857600080fd5b506101f9610ca1565b34801561040d57600080fd5b506101d0600160a060020a0360043516602435610cd8565b34801561043157600080fd5b506102b3600160a060020a0360043581169060243516610db5565b34801561045857600080fd5b506102ca600160a060020a0360043516610df1565b34801561047957600080fd5b506102b3610e0c565b34801561048e57600080fd5b506101d0600160a060020a0360043516610e23565b3480156104af57600080fd5b506101d0610e37565b3480156104c457600080fd5b506102ca600160a060020a0360043516610e3e565b3480156104e557600080fd5b506104ee610e50565b6040805167ffffffffffffffff9485168152928416602084015292168183015290519081900360600190f35b34801561052657600080fd5b5061052f610e5b565b60408051600160a060020a039092168252519081900360200190f35b34801561055757600080fd5b506102b3600160a060020a0360043581169060243516604435606435608435151560ff60a4351660c43560e435610e6a565b34801561059557600080fd5b506101f9611171565b3480156105aa57600080fd5b506101d0600160a060020a03600435166024356111cb565b3480156105ce57600080fd5b506101d0600160a060020a03600435166024356111d7565b3480156105f257600080fd5b506102b3600160a060020a0360043516602435611202565b34801561061657600080fd5b506102b3600160a060020a036004358116906024351660443561120d565b34801561064057600080fd5b5061052f61121e565b34801561065557600080fd5b506101d0600160a060020a036004351660243561122d565b34801561067957600080fd5b506102ca600160a060020a03600435811690602435166112b4565b3480156106a057600080fd5b506102b3600160a060020a03600435166024356112df565b3480156106c457600080fd5b506102b3600160a060020a03600435166112ea565b3480156106e557600080fd5b506102ca600160a060020a036004358116906024351661130a565b60065474010000000000000000000000000000000000000000900460ff1681565b6000805460408051602060026001851615610100026000190190941693909304601f810184900484028201840190925281815292918301828280156107a75780601f1061077c576101008083540402835291602001916107a7565b820191906000526020600020905b81548152906001019060200180831161078a57829003601f168201915b505050505081565b336000818152600560209081526040808320600160a060020a03871680855290835281842086905581518681529151939490939092600080516020611a13833981519152928290030190a350600192915050565b600654600160a060020a0316331461081a57600080fd5b61082381611327565b151561082e57600080fd5b6007805473ffffffffffffffffffffffffffffffffffffffff1916600160a060020a0392909216919091179055565b60045490565b600080600160a060020a038516151561087b57600080fd5b600160a060020a038416151561089057600080fd5b600160a060020a0385166000908152600360205260409020546108b9908463ffffffff61132f16565b600160a060020a0380871660009081526003602052604080822093909355908616815220546108ee908463ffffffff61134116565b600160a060020a0380861660008181526003602090815260409182902094909455805187815290519193928916926000805160206119f383398151915292918290030190a3600160a060020a0385163314610a1c5761094d85336112b4565b905060001981146109b757610968818463ffffffff61132f16565b600160a060020a038616600081815260056020908152604080832033808552908352928190208590558051948552519193600080516020611a13833981519152929081900390910190a3610a1c565b600160a060020a0385166000908152600a602090815260408083203384529091529020541580610a1157506109ea611354565b600160a060020a0386166000908152600a6020908152604080832033845290915290205410155b1515610a1c57600080fd5b610a27858585611358565b506001949350505050565b7fea2aa0a1be11a07ed86d755c93467f4f82362b452371d1ba94d1715123511acb81565b60025460ff1681565b60085481565b6000610a71838361122d565b9392505050565b600084600160a060020a03811615801590610a9c5750600160a060020a0381163014155b1515610aa757600080fd5b610ab186866113ef565b1515610abc57600080fd5b85600160a060020a031633600160a060020a03167fe19260aff97b920c7df27010903aeb9c8d2be5d310a2c67824cf3f15396e4c16878787604051808481526020018060200182810382528484828181526020019250808284376040519201829003965090945050505050a3610b3186611327565b15610b7d57610b7233878787878080601f016020809104026020016040519081016040528093929190818152602001838380828437506113fb945050505050565b1515610b7d57600080fd5b50600195945050505050565b600654600090600160a060020a03163314610ba357600080fd5b60065474010000000000000000000000000000000000000000900460ff1615610bcb57600080fd5b600454610bde908363ffffffff61134116565b600455600160a060020a038316600090815260036020526040902054610c0a908363ffffffff61134116565b600160a060020a038416600081815260036020908152604091829020939093558051858152905191927f0f6798a560793a54c3bcfe86a93cde1e73087d944c0ea20544137d412139688592918290030190a2604080518381529051600160a060020a038516916000916000805160206119f38339815191529181900360200190a350600192915050565b610c9e3382611591565b50565b60408051808201909152600181527f3100000000000000000000000000000000000000000000000000000000000000602082015281565b336000908152600560209081526040808320600160a060020a0386168452909152812054808310610d2c57336000908152600560209081526040808320600160a060020a0388168452909152812055610d61565b610d3c818463ffffffff61132f16565b336000908152600560209081526040808320600160a060020a03891684529091529020555b336000818152600560209081526040808320600160a060020a038916808552908352928190205481519081529051929392600080516020611a13833981519152929181900390910190a35060019392505050565b600654600160a060020a03163314610dcc57600080fd5b80600160a060020a0381161515610de257600080fd5b610dec8383611680565b505050565b600160a060020a031660009081526003602052604090205490565b600654600160a060020a031633146101b657600080fd5b600754600160a060020a0390811691161490565b6000806000fd5b60096020526000908152604090205481565b600260036000909192565b600654600160a060020a031681565b600080600160a060020a038a161515610e8257600080fd5b600160a060020a0389161515610e9757600080fd5b861580610eab575086610ea8611354565b11155b1515610eb657600080fd5b600854604080517fea2aa0a1be11a07ed86d755c93467f4f82362b452371d1ba94d1715123511acb602080830191909152600160a060020a03808f16838501528d166060830152608082018c905260a082018b905289151560c0808401919091528351808403909101815260e090920192839052815191929182918401908083835b60208310610f575780518252601f199092019160209182019101610f38565b51815160209384036101000a6000190180199092169116179052604080519290940182900382207f190100000000000000000000000000000000000000000000000000000000000083830152602283019790975260428083019790975283518083039097018752606290910192839052855192945084935085019190508083835b60208310610ff75780518252601f199092019160209182019101610fd8565b51815160209384036101000a600019018019909216911617905260408051929094018290038220600080845283830180875282905260ff8d1684870152606084018c9052608084018b905294519098506001965060a080840196509194601f19820194509281900390910191865af1158015611077573d6000803e3d6000fd5b50505060206040510351600160a060020a03168a600160a060020a03161415156110a057600080fd5b600160a060020a038a16600090815260096020526040902080546001810190915588146110cc57600080fd5b856110d85760006110dc565b6000195b600160a060020a03808c166000908152600560209081526040808320938e16835292905220819055905085611112576000611114565b865b600160a060020a03808c166000818152600a60209081526040808320948f1680845294825291829020949094558051858152905192939192600080516020611a13833981519152929181900390910190a350505050505050505050565b60018054604080516020600284861615610100026000190190941693909304601f810184900484028201840190925281815292918301828280156107a75780601f1061077c576101008083540402835291602001916107a7565b6000610a718383610cd8565b60006111e383836113ef565b15156111ee57600080fd5b6111f9338484611358565b50600192915050565b610dec338383610863565b611218838383610863565b50505050565b600754600160a060020a031690565b336000908152600560209081526040808320600160a060020a0386168452909152812054611261908363ffffffff61134116565b336000818152600560209081526040808320600160a060020a038916808552908352928190208590558051948552519193600080516020611a13833981519152929081900390910190a350600192915050565b600160a060020a03918216600090815260056020908152604080832093909416825291909152205490565b610dec823383610863565b600654600160a060020a0316331461130157600080fd5b610c9e816116ac565b600a60209081526000928352604080842090915290825290205481565b6000903b1190565b60008282111561133b57fe5b50900390565b8181018281101561134e57fe5b92915050565b4290565b61136182611327565b80156113885750604080516000815260208101909152611386908490849084906113fb565b155b15610dec5761139682610e23565b156113a057600080fd5b60408051600160a060020a0380861682528416602082015280820183905290517f11249f0fc79fc134a15a10d1da8291b79515bf987e036ced05b9ec119614070b9181900360600190a1505050565b6000610a71838361172a565b600083600160a060020a031663a4c0ed367c0100000000000000000000000000000000000000000000000000000000028685856040516024018084600160a060020a0316600160a060020a0316815260200183815260200180602001828103825283818151815260200191508051906020019080838360005b8381101561148c578181015183820152602001611474565b50505050905090810190601f1680156114b95780820380516001836020036101000a031916815260200191505b5060408051601f198184030181529181526020820180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167fffffffff00000000000000000000000000000000000000000000000000000000909916989098178852518151919790965086955093509150819050838360005b8381101561154757818101518382015260200161152f565b50505050905090810190601f1680156115745780820380516001836020036101000a031916815260200191505b509150506000604051808303816000865af1979650505050505050565b600160a060020a0382166000908152600360205260409020548111156115b657600080fd5b600160a060020a0382166000908152600360205260409020546115df908263ffffffff61132f16565b600160a060020a03831660009081526003602052604090205560045461160b908263ffffffff61132f16565b600455604080518281529051600160a060020a038416917fcc16f5dbb4873280815c1ee09dbd06736cffcc184412cf7a71a0fdb75d397ca5919081900360200190a2604080518281529051600091600160a060020a038516916000805160206119f38339815191529181900360200190a35050565b600160a060020a038216151561169e57611699816117f9565b6116a8565b6116a88282611805565b5050565b600160a060020a03811615156116c157600080fd5b600654604051600160a060020a038084169216907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e090600090a36006805473ffffffffffffffffffffffffffffffffffffffff1916600160a060020a0392909216919091179055565b3360009081526003602052604081205482111561174657600080fd5b600160a060020a038316151561175b57600080fd5b3360009081526003602052604090205461177b908363ffffffff61132f16565b3360009081526003602052604080822092909255600160a060020a038516815220546117ad908363ffffffff61134116565b600160a060020a0384166000818152600360209081526040918290209390935580518581529051919233926000805160206119f38339815191529281900390910190a350600192915050565b30316116a882826118a3565b604080517f70a0823100000000000000000000000000000000000000000000000000000000815230600482015290518391600091600160a060020a038416916370a0823191602480830192602092919082900301818787803b15801561186a57600080fd5b505af115801561187e573d6000803e3d6000fd5b505050506040513d602081101561189457600080fd5b5051905061121884848361190b565b604051600160a060020a0383169082156108fc029083906000818181858888f1935050505015156116a85780826118d86119c2565b600160a060020a039091168152604051908190036020019082f080158015611904573d6000803e3d6000fd5b5050505050565b60408051600160a060020a03841660248201526044808201849052825180830390910181526064909101909152602081810180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167fa9059cbb000000000000000000000000000000000000000000000000000000001781528251606093600093909290918491828a5af160005193508392508080156101b65750506000835111156119ba578115156119ba57600080fd5b505050505050565b6040516021806119d2833901905600608060405260405160208060218339810160405251600160a060020a038116ff00ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925a165627a7a72305820da715ff88e0288dbae664bb8af2f148726bdc8c499fecf88153280d022031e780029

with the bytecode you currently find here:

0x6080604052600436106101b35763ffffffff60e060020a60003504166305d2035b81146101b857806306fdde03146101e1578063095ea7b31461026b5780630b26cf661461028f57806318160ddd146102b257806323b872dd146102d957806330adf81f14610303578063313ce567146103185780633644e5151461034357806339509351146103585780634000aea01461037c57806340c10f19146103ad57806342966c68146103d157806354fd4d50146103e957806366188463146103fe57806369ffa08a1461042257806370a0823114610449578063715018a61461046a578063726600ce1461047f5780637d64bcb4146104a05780637ecebe00146104b5578063859ba28c146104d65780638da5cb5b146105175780638fcbaf0c1461054857806395d89b4114610586578063a457c2d71461059b578063a9059cbb146105bf578063b753a98c146105e3578063bb35783b14610607578063c6a1dedf14610631578063cd59658314610646578063d505accf1461065b578063d73dd62314610694578063dd62ed3e146106b8578063f2d5d56b146106df578063f2fde38b14610703578063ff9e884d14610724575b600080fd5b3480156101c457600080fd5b506101cd61074b565b604080519115158252519081900360200190f35b3480156101ed57600080fd5b506101f661076c565b6040805160208082528351818301528351919283929083019185019080838360005b83811015610230578181015183820152602001610218565b50505050905090810190601f16801561025d5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b34801561027757600080fd5b506101cd600160a060020a03600435166024356107fa565b34801561029b57600080fd5b506102b0600160a060020a0360043516610810565b005b3480156102be57600080fd5b506102c761086a565b60408051918252519081900360200190f35b3480156102e557600080fd5b506101cd600160a060020a0360043581169060243516604435610870565b34801561030f57600080fd5b506102c7610a38565b34801561032457600080fd5b5061032d610a5c565b6040805160ff9092168252519081900360200190f35b34801561034f57600080fd5b506102c7610a65565b34801561036457600080fd5b506101cd600160a060020a0360043516602435610a6b565b34801561038857600080fd5b506101cd60048035600160a060020a0316906024803591604435918201910135610aac565b3480156103b957600080fd5b506101cd600160a060020a0360043516602435610bbd565b3480156103dd57600080fd5b506102b0600435610cc8565b3480156103f557600080fd5b506101f6610cd5565b34801561040a57600080fd5b506101cd600160a060020a0360043516602435610d0c565b34801561042e57600080fd5b506102b0600160a060020a0360043581169060243516610de9565b34801561045557600080fd5b506102c7600160a060020a0360043516610e0e565b34801561047657600080fd5b506102b0610e29565b34801561048b57600080fd5b506101cd600160a060020a0360043516610e40565b3480156104ac57600080fd5b506101cd610e54565b3480156104c157600080fd5b506102c7600160a060020a0360043516610e5b565b3480156104e257600080fd5b506104eb610e6d565b6040805167ffffffffffffffff9485168152928416602084015292168183015290519081900360600190f35b34801561052357600080fd5b5061052c610e78565b60408051600160a060020a039092168252519081900360200190f35b34801561055457600080fd5b506102b0600160a060020a0360043581169060243516604435606435608435151560ff60a4351660c43560e435610e87565b34801561059257600080fd5b506101f6610fc5565b3480156105a757600080fd5b506101cd600160a060020a036004351660243561101f565b3480156105cb57600080fd5b506101cd600160a060020a0360043516602435611032565b3480156105ef57600080fd5b506102b0600160a060020a0360043516602435611054565b34801561061357600080fd5b506102b0600160a060020a0360043581169060243516604435611064565b34801561063d57600080fd5b506102c7611075565b34801561065257600080fd5b5061052c611099565b34801561066757600080fd5b506102b0600160a060020a036004358116906024351660443560643560ff6084351660a43560c4356110a8565b3480156106a057600080fd5b506101cd600160a060020a0360043516602435611184565b3480156106c457600080fd5b506102c7600160a060020a036004358116906024351661120b565b3480156106eb57600080fd5b506102b0600160a060020a0360043516602435611236565b34801561070f57600080fd5b506102b0600160a060020a0360043516611241565b34801561073057600080fd5b506102c7600160a060020a0360043581169060243516611261565b60065474010000000000000000000000000000000000000000900460ff1681565b6000805460408051602060026001851615610100026000190190941693909304601f810184900484028201840190925281815292918301828280156107f25780601f106107c7576101008083540402835291602001916107f2565b820191906000526020600020905b8154815290600101906020018083116107d557829003601f168201915b505050505081565b600061080733848461127e565b50600192915050565b600654600160a060020a0316331461082757600080fd5b610830816112c0565b151561083b57600080fd5b6007805473ffffffffffffffffffffffffffffffffffffffff1916600160a060020a0392909216919091179055565b60045490565b600080600160a060020a038516151561088857600080fd5b600160a060020a038416151561089d57600080fd5b600160a060020a0385166000908152600360205260409020546108c6908463ffffffff6112c816565b600160a060020a0380871660009081526003602052604080822093909355908616815220546108fb908463ffffffff6112da16565b600160a060020a038086166000818152600360209081526040918290209490945580518781529051919392891692600080516020611d7283398151915292918290030190a3600160a060020a0385163314610a225761095a853361120b565b905060001981146109c457610975818463ffffffff6112c816565b600160a060020a038616600081815260056020908152604080832033808552908352928190208590558051948552519193600080516020611d92833981519152929081900390910190a3610a22565b600160a060020a0385166000908152600a602090815260408083203384529091529020541580610a175750600160a060020a0385166000908152600a602090815260408083203384529091529020544211155b1515610a2257600080fd5b610a2d8585856112ed565b506001949350505050565b7f6e71edae12b1b97f4d1f60370fef10105fa2faae0126114a169c64845d6126c981565b60025460ff1681565b60085481565b336000818152600560209081526040808320600160a060020a03871684529091528120549091610807918590610aa7908663ffffffff6112da16565b61127e565b600084600160a060020a03811615801590610ad05750600160a060020a0381163014155b1515610adb57600080fd5b610ae58686611324565b1515610af057600080fd5b85600160a060020a031633600160a060020a03167fe19260aff97b920c7df27010903aeb9c8d2be5d310a2c67824cf3f15396e4c16878787604051808481526020018060200182810382528484828181526020019250808284376040519201829003965090945050505050a3610b65866112c0565b15610bb157610ba633878787878080601f01602080910402602001604051908101604052809392919081815260200183838082843750611330945050505050565b1515610bb157600080fd5b50600195945050505050565b600654600090600160a060020a03163314610bd757600080fd5b60065474010000000000000000000000000000000000000000900460ff1615610bff57600080fd5b600454610c12908363ffffffff6112da16565b600455600160a060020a038316600090815260036020526040902054610c3e908363ffffffff6112da16565b600160a060020a038416600081815260036020908152604091829020939093558051858152905191927f0f6798a560793a54c3bcfe86a93cde1e73087d944c0ea20544137d412139688592918290030190a2604080518381529051600160a060020a03851691600091600080516020611d728339815191529181900360200190a350600192915050565b610cd233826114ad565b50565b60408051808201909152600181527f3100000000000000000000000000000000000000000000000000000000000000602082015281565b336000908152600560209081526040808320600160a060020a0386168452909152812054808310610d6057336000908152600560209081526040808320600160a060020a0388168452909152812055610d95565b610d70818463ffffffff6112c816565b336000908152600560209081526040808320600160a060020a03891684529091529020555b336000818152600560209081526040808320600160a060020a038916808552908352928190205481519081529051929392600080516020611d92833981519152929181900390910190a35060019392505050565b600654600160a060020a03163314610e0057600080fd5b610e0a828261159c565b5050565b600160a060020a031660009081526003602052604090205490565b600654600160a060020a031633146101b357600080fd5b600754600160a060020a0390811691161490565b6000806000fd5b60096020526000908152604090205481565b600260056000909192565b600654600160a060020a031681565b600080861580610e975750864211155b1515610ea257600080fd5b604080517fea2aa0a1be11a07ed86d755c93467f4f82362b452371d1ba94d1715123511acb6020820152600160a060020a03808d16828401528b166060820152608081018a905260a0810189905287151560c0808301919091528251808303909101815260e0909101909152610f17906115da565b9150610f25828686866116e1565b600160a060020a038b8116911614610f3c57600080fd5b600160a060020a038a1660009081526009602052604090208054600181019091558814610f6857600080fd5b85610f74576000610f78565b6000195b905085610f86576000610f88565b865b600160a060020a03808c166000908152600a60209081526040808320938e1683529290522055610fb98a8a836118e3565b50505050505050505050565b60018054604080516020600284861615610100026000190190941693909304601f810184900484028201840190925281815292918301828280156107f25780601f106107c7576101008083540402835291602001916107f2565b600061102b8383610d0c565b9392505050565b600061103e8383611324565b151561104957600080fd5b6108073384846112ed565b61105f338383610870565b505050565b61106f838383610870565b50505050565b7fea2aa0a1be11a07ed86d755c93467f4f82362b452371d1ba94d1715123511acb81565b600754600160a060020a031690565b600080428610156110b857600080fd5b600160a060020a03808a1660008181526009602090815260409182902080546001810190915582517f6e71edae12b1b97f4d1f60370fef10105fa2faae0126114a169c64845d6126c99281019290925281830193909352928b166060840152608083018a905260a0830182905260c08084018a90528151808503909101815260e090930190529250611149906115da565b9050611157818686866116e1565b600160a060020a038a811691161461116e57600080fd5b61117989898961127e565b505050505050505050565b336000908152600560209081526040808320600160a060020a03861684529091528120546111b8908363ffffffff6112da16565b336000818152600560209081526040808320600160a060020a038916808552908352928190208590558051948552519193600080516020611d92833981519152929081900390910190a350600192915050565b600160a060020a03918216600090815260056020908152604080832093909416825291909152205490565b61105f823383610870565b600654600160a060020a0316331461125857600080fd5b610cd281611a3e565b600a60209081526000928352604080842090915290825290205481565b6112898383836118e3565b60001981141561105f57600160a060020a038084166000908152600a60209081526040808320938616835292905290812055505050565b6000903b1190565b6000828211156112d457fe5b50900390565b818101828110156112e757fe5b92915050565b6112f682610e40565b1561105f5760408051600081526020810190915261131990849084908490611330565b151561105f57600080fd5b600061102b8383611abc565b600083600160a060020a031663a4c0ed3660e060020a028685856040516024018084600160a060020a0316600160a060020a0316815260200183815260200180602001828103825283818151815260200191508051906020019080838360005b838110156113a8578181015183820152602001611390565b50505050905090810190601f1680156113d55780820380516001836020036101000a031916815260200191505b5060408051601f198184030181529181526020820180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167fffffffff00000000000000000000000000000000000000000000000000000000909916989098178852518151919790965086955093509150819050838360005b8381101561146357818101518382015260200161144b565b50505050905090810190601f1680156114905780820380516001836020036101000a031916815260200191505b509150506000604051808303816000865af1979650505050505050565b600160a060020a0382166000908152600360205260409020548111156114d257600080fd5b600160a060020a0382166000908152600360205260409020546114fb908263ffffffff6112c816565b600160a060020a038316600090815260036020526040902055600454611527908263ffffffff6112c816565b600455604080518281529051600160a060020a038416917fcc16f5dbb4873280815c1ee09dbd06736cffcc184412cf7a71a0fdb75d397ca5919081900360200190a2604080518281529051600091600160a060020a03851691600080516020611d728339815191529181900360200190a35050565b80600160a060020a03811615156115b257600080fd5b600160a060020a03831615156115d0576115cb82611b8b565b61105f565b61105f8383611b97565b6000600854826040518082805190602001908083835b6020831061160f5780518252601f1990920191602091820191016115f0565b51815160209384036101000a6000190180199092169116179052604080519290940182900382207f190100000000000000000000000000000000000000000000000000000000000083830152602283019790975260428083019790975283518083039097018752606290910192839052855192945084935085019190508083835b602083106116af5780518252601f199092019160209182019101611690565b5181516020939093036101000a6000190180199091169216919091179052604051920182900390912095945050505050565b6000808460ff16601b14806116f957508460ff16601c145b1515611775576040805160e560020a62461bcd02815260206004820152602260248201527f45434453413a20696e76616c6964207369676e6174757265202776272076616c60448201527f7565000000000000000000000000000000000000000000000000000000000000606482015290519081900360840190fd5b7f7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0831115611813576040805160e560020a62461bcd02815260206004820152602260248201527f45434453413a20696e76616c6964207369676e6174757265202773272076616c60448201527f7565000000000000000000000000000000000000000000000000000000000000606482015290519081900360840190fd5b60408051600080825260208083018085528a905260ff8916838501526060830188905260808301879052925160019360a0808501949193601f19840193928390039091019190865af115801561186d573d6000803e3d6000fd5b5050604051601f190151915050600160a060020a03811615156118da576040805160e560020a62461bcd02815260206004820152601860248201527f45434453413a20696e76616c6964207369676e61747572650000000000000000604482015290519081900360640190fd5b95945050505050565b600160a060020a0383161515611968576040805160e560020a62461bcd028152602060048201526024808201527f45524332303a20617070726f76652066726f6d20746865207a65726f2061646460448201527f7265737300000000000000000000000000000000000000000000000000000000606482015290519081900360840190fd5b600160a060020a03821615156119ee576040805160e560020a62461bcd02815260206004820152602260248201527f45524332303a20617070726f766520746f20746865207a65726f20616464726560448201527f7373000000000000000000000000000000000000000000000000000000000000606482015290519081900360840190fd5b600160a060020a0380841660008181526005602090815260408083209487168084529482529182902085905581518581529151600080516020611d928339815191529281900390910190a3505050565b600160a060020a0381161515611a5357600080fd5b600654604051600160a060020a038084169216907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e090600090a36006805473ffffffffffffffffffffffffffffffffffffffff1916600160a060020a0392909216919091179055565b33600090815260036020526040812054821115611ad857600080fd5b600160a060020a0383161515611aed57600080fd5b33600090815260036020526040902054611b0d908363ffffffff6112c816565b3360009081526003602052604080822092909255600160a060020a03851681522054611b3f908363ffffffff6112da16565b600160a060020a038416600081815260036020908152604091829020939093558051858152905191923392600080516020611d728339815191529281900390910190a350600192915050565b3031610e0a8282611c44565b604080517f70a0823100000000000000000000000000000000000000000000000000000000815230600482015290518391600091600160a060020a038416916370a0823191602480830192602092919082900301818787803b158015611bfc57600080fd5b505af1158015611c10573d6000803e3d6000fd5b505050506040513d6020811015611c2657600080fd5b5051905061106f600160a060020a038516848363ffffffff611cac16565b604051600160a060020a0383169082156108fc029083906000818181858888f193505050501515610e0a578082611c79611d41565b600160a060020a039091168152604051908190036020019082f080158015611ca5573d6000803e3d6000fd5b5050505050565b82600160a060020a031663a9059cbb83836040518363ffffffff1660e060020a0281526004018083600160a060020a0316600160a060020a0316815260200182815260200192505050600060405180830381600087803b158015611d0f57600080fd5b505af1158015611d23573d6000803e3d6000fd5b505050503d1561105f5760206000803e600051151561105f57600080fd5b604051602180611d51833901905600608060405260405160208060218339810160405251600160a060020a038116ff00ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925a165627a7a72305820b96bb0733a3e45fdddafa592f51114d0cf16cad047ad60b9b91ae91eb772c6940029

In simpler terms: both of these addresses contain a mastercopy of different token implementations. All tokens bridged to xDAI >1year ago the first time use the “old implementation” with reentrency.

Here you can see a list of tokens that have either the old or the new implementation:

gist.github.com

https://gist.github.com/akolotov/8860a966f0b5bcc7cb50f99ca3f1393b

01_bridged_tokens_old_implementation.csv

native_token_address,bridged_token_address,name,impl_address
0x89d24A6b4CcB1B6fAA2625fE562bDD9a23260359,0xc439E5B1DEe4f866B681E7c5E5dF140aA47fBf19,Dai Stablecoin v1.0 on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0x174897edD3ce414084A009d22db31C7b7826400d,0x5fE9885226677F3Eb5C9ad8aB6c421B4EA38535d,JOON on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0xEc0B6AFb3F9a609CEEd67e2CA551A4c573fd45F7,0x2906480c618DEd6417cB942cD487c9929726527A,DAOSquare on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0x514910771AF9Ca656af840dff83E8264EcF986CA,0xE2e73A1c69ecF83F464EFCE6A5be353a37cA09b2,ChainLink Token on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0xdF5e0e81Dff6FAF3A7e52BA697820c5e32D806A8,0x22Bd2A732b39dACe37AE7E8f50A186f3D9702e87,Curve.fi yDAI/yUSDC/yUSDT/yTUSD on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48,0xDDAfbb505ad214D7b80b1f830fcCc89B60fb7A83,USD//C on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0x57Ab1ec28D129707052df4dF418D58a2D46d5f51,0xB1950Fb2C9C0CbC8553578c67dB52Aa110A93393,Synth sUSD on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,0x6A023CCd1ff6F2045C3309768eAd9E68F978f6e1,Wrapped Ether on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9
0x0Ae055097C6d159879521C384F1D2123D1f195e6,0xb7D311E2Eb55F2f68a9440da38e7989210b9A05e,STAKE on xDai,0xf8D1677c8a0c961938bf2f9aDc3F3CFDA759A9d9

This file has been truncated. show original

02_bridged_tokens_new_implementation.csv

native_token_address,bridged_token_address,name,impl_address
0x0fF80a1708191C0Da8Aa600Fa487f7aC81D7818c,0x2dF5912439d2D14d04a7742346508505288eF367,Rickle from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0xE8c263a96Bcb637906B86CB523B4b472370fB7c1,0x31C2DC490167af022c8f666D93044503ba96404A,CopyrightCoin from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0x954b890704693af242613edEf1B603825afcD708,0xB0102a005090D6D3dFD7E26094D952707C42b086,Cardstack from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0xC40AF1E4fEcFA05Ce6BAb79DcD8B373d2E436c4E,0x537C1e62E1610FA9592AcCf3800010800921ecf3,Hokkaidu Inu from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0xC46a1691f151dddaBB2E0f8a370Ece40a6947025,0xe570C987f26a321374E71088D89EEdEf7CF9620D,Value Transfer Token from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0x5c7d136b43017Dd4ea67B0785142ee72eFD40742,0x13767e44d4c181Acd6326FDC7563C1A9b09Ad8ee,Meghan Jerolaman Token from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0x96c645D3D3706f793Ef52C19bBACe441900eD47D,0xcd022E3eD68ABa7c83964FC2F56d6eb59559aB71,MtPelerin Shares from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0x06ed2e5cFA3dc08ffD116B877aaDeaf96a4F5fbC,0x875FF953053442CA19796F20c8c8CC169263b775,Carbon Art Hybridization Charity from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4
0x3176C72C32571cF2a133e010bbC74Fa076965bab,0x5c718937B2D7442624b2C45dB4552F28Aa8e15Be,Knup from Mainnet,0x199084efbd7fe14d217BBF22FDC6E2eD7266dDD4

This file has been truncated. show original

E.g. you will find that HOPR token uses the old impl.

Here you can see the exact difference between the 2 implementations here:
https://www.diffchecker.com/NRvsKIhx

So after the hardfork all tokens would behave the same way as all the “new tokens”.

botanical · March 31, 2022, 3:16pm

Thanks for the update.

What’s the plan/timeline on implementing the bytecode replacement functionality in the clients? Which client versions are projected to be required to run to be able to support the hard fork?

mkoeppelmann · March 31, 2022, 3:57pm

I can’t give a timeline yet.
The hardfork was already successfully tested on a shadow fork so should not be too far out.

The next steps should be the release of Nethermind and hopefully Openethereum versions with the HF + agreeing on a future block number. The former xDAI team is leading this process.

SCBuergel · April 19, 2022, 12:35pm

For anyone who missed the announcement on Twitter 12 days ago - you have ~18h until the hardfork gets activated.

I suggest we discuss how to improve communications after this is over, this was a sub-optimal communication and consensus building exercise.

dansy · April 19, 2022, 3:02pm

The snapshot vote on this is still open: Snapshot.

Will the hardfork occur on 4/20 as previously announced or after the vote passes? I’d assume the later, but I it also seems like the Nethermind client has been updated and folks have already started migrating to it…

I agree that the communication on this has been sub-optimal.

Mojmir · April 19, 2022, 6:30pm

HF is happening tomorrow, April 20th around 8:23am UTC as it was previously announced 2 weeks ago.