Security

FEG Bridge Drained One Million Dollars via Cross-Chain Verification Flaw

A critical logic error in the cross-chain relayer allowed an attacker to bypass deposit verification, compromising $1M across three chains.
November 19, 20253 min

A central, intricate three-dimensional abstract structure composed of translucent blue, angular block-like elements and two smooth white spheres is interwoven with white and black flexible lines against a soft gray-blue background. The blue elements, some appearing fragmented, form a dense core, while the lines crisscross and connect various components of the structure
A striking X-shaped component, featuring translucent blue and reflective silver elements, is presented within a semi-transparent, fluid-like enclosure. The background subtly blurs into complementary blue and grey tones, hinting at a larger, interconnected system

Briefing

The FEG Token Bridge was compromised via a critical logic flaw in its cross-chain relayer contract, allowing an attacker to mint and withdraw native FEG tokens without a corresponding deposit. This exploit fundamentally undermined the bridge’s security model, leading to immediate asset loss and a trust collapse across all affected chains. The attacker successfully siphoned approximately $1 million USD across the Ethereum, Base, and BSC networks before laundering the funds through Tornado Cash.

The image showcases a dark, metallic "X" structure with bright silver accents and internal blue illumination, surrounded by translucent blue tendrils. These ethereal blue tendrils organically flow around and through the central "X" symbol, visually representing the dynamic transfer of digital assets or oracle data within a sophisticated blockchain architecture

Context

Cross-chain bridges inherently represent a significant attack surface due to the complexity of secure message passing and state synchronization across disparate virtual machines. The prevailing risk factor was the reliance on a single, proprietary relayer implementation to manage critical access control logic, which is a known centralization point for systemic failure. This class of vulnerability → logic flaws in custom message verification → is a growing threat, often overlooked by standard audits focused solely on token contract security.

A close-up view reveals a complex, futuristic mechanical device, predominantly silver and dark blue, with striking electric blue glowing lines and rings. The device features intricate geometric shapes, metallic textures, and visible connecting wires, suggesting advanced technological functionality

Analysis

The core system compromised was the FEG Relayer contract, which failed to properly validate cross-chain messages. The attacker first leveraged a logic path that allowed the whitelisted sourceAddress parameter to be updated via a bridged message, effectively granting the attacker unauthorized control over the bridge’s operational controls. Once whitelisted, the attacker sent a malicious message to the relayer, which incorrectly processed it as a legitimate withdrawal request. This enabled the direct siphoning of FEG tokens from the bridge contract across Ethereum, Base, and BSC without a corresponding deposit.

A close-up view captures a futuristic device, featuring transparent blue cylindrical and rectangular sections filled with glowing blue particles, alongside brushed metallic components. The device rests on a dark, reflective surface, with sharp focus on the foreground elements and a soft depth of field blurring the background

Parameters

  • Total Funds Stolen → $1,000,000 USD – Approximate value of FEG tokens withdrawn across three chains.
  • Affected BlockchainsEthereum, Base, and BSC – The three networks where the bridge relayer was compromised.
  • Attack Vector Type → Cross-Chain Message Verification Flaw – A logic error in validating the authenticity of a bridged message.
  • Post-Exploit Action → Funds Sent to Tornado Cash – The primary method used by the attacker to obscure the trail of stolen assets.

The image displays a detailed, close-up view of a complex, three-dimensional structure composed of interlocking metallic blocks in shades of blue, silver, and black. A prominent, reflective dark blue tube-like element gracefully traverses and loops above this intricate assembly, creating a sense of dynamic flow and connection

Outlook

Immediate mitigation requires all similar protocols utilizing custom cross-chain relayer logic to conduct a deep, line-by-line audit of all message validation and access control functions. The incident reinforces the systemic contagion risk inherent in multi-chain deployments, where a single logic flaw can be weaponized across all connected ecosystems. This event will likely establish a new security best practice mandating formal verification or multi-party consensus for all critical bridge operational updates, moving beyond simple code reviews.

A striking abstract artwork displays an intricate, three-dimensional geometric structure crafted from reflective blue and clear crystalline elements, centered against a soft grey background. The central focus is a vibrant blue, multi-faceted core, surrounded by numerous transparent rectangular and square segments, forming a complex, interconnected visual network

Verdict

The FEG Bridge exploit confirms that custom cross-chain relayer logic remains a high-risk, single-point-of-failure, prioritizing speed over security and inviting catastrophic asset loss.

Cross-chain bridge security, Relayer contract logic, Message verification flaw, Access control bypass, Multi-chain exploit, Token withdrawal without deposit, Smart contract vulnerability, Blockchain interoperability risk, Bridging protocol failure, Decentralized finance risk, Code-level oversight, On-chain forensic analysis, Systemic contagion vector, Layer one security, Asset loss incident. Signal Acquired from → certik.com

Micro Crypto News Feeds

relayer contract

Definition ∞ A relayer contract is a smart contract that facilitates communication and transaction execution between different blockchain networks or protocols.

message verification

Definition ∞ Message verification is the cryptographic process of confirming the authenticity and integrity of a digital message or transaction.

cross-chain

Definition ∞ Cross-chain refers to the ability of different blockchain networks to communicate and interact with each other.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

systemic contagion

Definition ∞ Systemic contagion describes the rapid spread of financial distress from one entity to others throughout a market or system.

asset loss

Definition ∞ Asset Loss denotes the depletion of value or disappearance of digital or physical assets.

Tags:

Tags: