DexLyn Disclosed Report

https://github.com/DexlynLabs/bridge-repo/tree/6a772c126e0879928021156ca91b89ac4f1bfcae/move

Description

The application exposes a hardcoded private key within the source code, which allows unauthorized access to the associated Ethereum wallet. This vulnerability can lead to full control over funds, unauthorized transactions, and potential financial loss.

Summary

The code contains a hardcoded private key (ANVIL_KEY), which can be used to gain access to a wallet. This key is embedded in the script and can be extracted by anyone with access to the repository or deployed application. An attacker can use this private key to:

Steal funds from the wallet Sign unauthorized transactions Impersonate the legitimate owner

Supporting Material/References OWASP Hardcoded Secrets Reference: https://owasp.org/www-project-top-ten/

Impact

Severity: High (Critical Risk)

Full control over the wallet. Potential loss of funds. Unauthorized contract interactions. Possible blacklisting of the compromised wallet.

Vulnerable Code Line

const ANVIL_KEY =
  '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80';

Fix Code

import { Provider } from '@ethersproject/providers';
import { Wallet } from 'ethers';
import fs from 'fs';
import yargs from 'yargs';
import dotenv from 'dotenv';

import { Mailbox, TestSendReceiver__factory } from '@hyperlane-xyz/core';
import {
  ChainName,
  HookType,
  HyperlaneCore,
  MultiProvider,
  TestChainName,
} from '@hyperlane-xyz/sdk';
import { addressToBytes32, sleep } from '@hyperlane-xyz/utils';

dotenv.config(); // Load environment variables

// Secure way to load private key from environment variables
const ANVIL_KEY = process.env.PRIVATE_KEY;
if (!ANVIL_KEY) {
  throw new Error('Private key is missing! Set PRIVATE_KEY in .env file.');
}

enum MailboxHookType {
  REQUIRED = 'requiredHook',
  DEFAULT = 'defaultHook',
}

async function setMailboxHook(
  mailbox: Mailbox,
  coreAddresses: any,
  local: ChainName,
  mailboxHookType: MailboxHookType,
  hookArg: HookType,
) {
  const hook = coreAddresses[local][hookArg];
  switch (mailboxHookType) {
    case MailboxHookType.REQUIRED: {
      await mailbox.setRequiredHook(hook);
      break;
    }
    case MailboxHookType.DEFAULT: {
      await mailbox.setDefaultHook(hook);
      break;
    }
  }
  console.log(`Set the ${mailboxHookType} hook on ${local} to ${hook}`);
}

const chainSummary = async (core: HyperlaneCore, chain: ChainName) => {
  const coreContracts = core.getContracts(chain);
  const mailbox = coreContracts.mailbox;
  const dispatched = await mailbox.nonce();

  const processFilter = mailbox.filters.Process();
  const processes = await mailbox.queryFilter(processFilter);
  const processed = processes.length;

  return {
    chain,
    dispatched,
    processed,
  };
};

function getArgs() {
  return yargs(process.argv.slice(2))
    .option('messages', {
      type: 'number',
      describe: 'Number of messages to send; defaults to having no limit',
      default: 0,
    })
    .option('timeout', {
      type: 'number',
      describe: 'Time to wait between messages in ms.',
      default: 5000,
    })
    .option('mineforever', {
      type: 'boolean',
      default: false,
      describe: 'Mine forever after sending messages',
    })
    .option(MailboxHookType.DEFAULT, {
      type: 'string',
      describe: 'Description for defaultHook',
      choices: Object.values(HookType),
      default: HookType.AGGREGATION,
    })
    .option(MailboxHookType.REQUIRED, {
      type: 'string',
      describe: 'Required hook to call in postDispatch',
      choices: Object.values(HookType),
      default: HookType.PROTOCOL_FEE,
    }).argv;
}

async function main() {
  const args = await getArgs();
  const { timeout, defaultHook, requiredHook, mineforever } = args;
  let messages = args.messages;

  const kathyTestChains = [
    TestChainName.test1,
    TestChainName.test2,
    TestChainName.test3,
  ];

  // Use environment variable-based private key securely
  const signer = new Wallet(ANVIL_KEY);
  const multiProvider = MultiProvider.createTestMultiProvider({ signer });

  const provider = multiProvider.getProvider(TestChainName.test1);

  const addresses = JSON.parse(
    fs.readFileSync('./config/environments/test/core/addresses.json', 'utf8'),
  );
  const core = HyperlaneCore.fromAddressesMap(addresses, multiProvider);

  const randomElement = <T>(list: T[]) =>
    list[Math.floor(Math.random() * list.length)];

  const recipientF = new TestSendReceiver__factory(signer.connect(provider));
  const recipient = await recipientF.deploy();
  await recipient.deployTransaction.wait();

  const run_forever = messages === 0;
  while (run_forever || messages-- > 0) {
    const local = kathyTestChains[messages % kathyTestChains.length];
    const remote: ChainName = randomElement(
      kathyTestChains.filter((c) => c !== local),
    );
    const remoteId = multiProvider.getDomainId(remote);
    const contracts = core.getContracts(local);
    const mailbox = contracts.mailbox;

    await setMailboxHook(
      mailbox,
      addresses,
      local,
      MailboxHookType.DEFAULT,
      defaultHook,
    );
    await setMailboxHook(
      mailbox,
      addresses,
      local,
      MailboxHookType.REQUIRED,
      requiredHook,
    );

    const quote = await mailbox['quoteDispatch(uint32,bytes32,bytes)'](https://dashboard.hackenproof.com/redirect?url=
      remoteId,
      addressToBytes32(recipient.address),
      '0x1234',
    );
    await recipient['dispatchToSelf(address,uint32,bytes)'](https://dashboard.hackenproof.com/redirect?url=
      mailbox.address,
      remoteId,
      '0x1234',
      {
        value: quote,
      },
    );

    console.log(
      `Sent to ${recipient.address} on ${remote} via mailbox ${
        mailbox.address
      } on ${local} with nonce ${(await mailbox.nonce()) - 1}`,
    );
    console.log(await chainSummary(core, local));
    console.log(await chainSummary(core, remote));

    await sleep(timeout);
  }

  while (mineforever) {
    await provider.send('anvil_mine', ['0x01']);
    await sleep(timeout);
  }
}

main()
  .then(() => {
    console.info('Done sending random messages');
    process.exit(0);
  })
  .catch((err) => {
    console.error('Error sending random messages', err);
    process.exit(1);
  });

Fix Explanation

1. Removed Hardcoded Private Key Before: The private key ANVIL_KEY was directly written in the code. Now: It is securely loaded from an .env file using dotenv.

2. Environment Variable Integration Uses .env file to hide sensitive information. The line dotenv.config(); ensures that values from .env are automatically loaded into the program.

3. Added Error Handling If the PRIVATE_KEY is missing, the program throws an error instead of running insecurely.

4. Prevented Accidental Exposure in Logs Ensures that the private key never appears in logs or error messages.

Testing the Fix

1.Remove the hardcoded private key from the source code. 2.Create a .env file and add the private key. 3.Run the script with environment variables loaded:

node balance.js

4.Ensure the private key is not visible in logs or error messages. 5.Try accessing the source code and confirm the key is not exposed.

Suggested Fix

Use environment variables to store sensitive information. Use a secure vault (e.g., AWS Secrets Manager, HashiCorp Vault) for production secrets. Never commit private keys to GitHub repositories.

Conclusion This vulnerability allows full wallet compromise, making it a critical security issue. By implementing environment variables and secret management, we can prevent unauthorized access and keep funds secure.