Back to Blog
header-image

Unearthing a $7k SocketSurge LootBox Exploit: A Deep Dive

How I claimed $7k from SocketSurge LootBox-II by exploiting Socket DL's defense mechanisms within two hours.

October 6, 2023
3 min read
bug bountysecurity

Recently, I stumbled upon a challenge that felt more like a treasure hunt. Within a mere two hours, I managed to snatch $7k from the SocketSurge LootBox-II. Intrigued? Let's delve into the intricacies of how this endeavor played out.

Background

What's SocketSurge?

SocketSurge is an incentivized test net designed to crowdsource the identification of vulnerabilities in its data layer. To add a zest of competition, they deploy "loot boxes" with DAI locked inside them. If an individual successfully exploits a vulnerability in Socket's DL, they get to claim the treasure.

The Challenge

The premise of LootBox-II was seemingly simple. To claim the reward, one had to maintain their position as the cross-chain caller to the loot box contract for a whole hour. The catch? If someone else sends a message during that period, you lose your claim to the loot. But as is with any worthwhile challenge, it was anything but straightforward.

The Strategy

Understanding the Mechanics

Given that anyone can dispatch a cross-chain message via Socket DL, the competition was already intense. SocketSurge has its own bot (operating on the Polygon network) sending cross-chain messages at regular intervals to establish a baseline.

Tackling the Bot

Brute-forcing was off the table, thanks to this baseline. This called for innovation. The choices were either to block the bot from messaging (a seemingly impossible task) or disrupt the SocketDL enough to prevent it from accepting new messages. I opted for the latter.

Exploiting the Defense Systems

I utilized SocketTech's defense mechanisms against itself. When an unscrupulous transmitter dispatches an invalid packet, Socket's defenses freeze the source chain, inhibiting the switchboards from receiving new payloads.

Implementing the Block

Socket's PacketIds operate sequentially. I initiated by sending a cross-chain message from Polygon, becoming the last caller to Socket’s loot box.

Later on, leveraging the transmitter role given by SocketTech to all surge pass holders, I engaged in an undisclosed action (presumably another exploit).

Guarding the Treasure

The subsequent hour was a test of vigilance. I had to ensure no interventions from other networks, specifically Arbitrum and BSC.

Whenever someone attempted to intervene, I executed the same procedure that previously blocked messaging from Polygon. This ensured all inbound pathways to the loot box were sealed.

After a tense 60 minutes, the bounty from SocketSurge was mine!

Key Transactions:

Initial Strategy: View on Optimistic Etherscan

Bounty Claims: Transaction 1 Transaction 2

Closing Remarks

This exploit was not just a testament to the importance of robust system defenses but also a showcase of how methodical strategy and a deep understanding of system operations can lead to unexpected outcomes. It underlines the significance of continuous testing, feedback, and iteration in the blockchain domain.