Skip to main content
Security

FEG Bridge Drained One Million Dollars via Cross-Chain Verification Flaw

A critical logic error in the cross-chain relayer allowed an attacker to bypass deposit verification, compromising $1M across three chains.
November 19, 20253 min

A stylized three-dimensional object, resembling an 'X', is prominently displayed, composed of interlocking transparent blue and frosted clear elements with polished metallic accents. The structure sits angled on a reflective grey surface, casting a soft shadow, highlighting its intricate design and material contrasts
A prominent abstract digital structure dominates the frame, featuring an elongated central body meticulously constructed from numerous small, varied blue rectangular and cubic elements. This core is intricately enveloped by thin silver metallic wires and a thicker, smooth white rod, both spiraling around it and connecting to an array of glossy white spheres distributed throughout the composition

Briefing

The FEG Token Bridge was compromised via a critical logic flaw in its cross-chain relayer contract, allowing an attacker to mint and withdraw native FEG tokens without a corresponding deposit. This exploit fundamentally undermined the bridge’s security model, leading to immediate asset loss and a trust collapse across all affected chains. The attacker successfully siphoned approximately $1 million USD across the Ethereum, Base, and BSC networks before laundering the funds through Tornado Cash.

The image displays a detailed, abstract composition centered on a symmetrical, metallic blue and white 'X' shaped structure. This central element is surrounded and partially integrated into a textured, white, bubbly matrix, creating a sense of depth and complex interweaving

Context

Cross-chain bridges inherently represent a significant attack surface due to the complexity of secure message passing and state synchronization across disparate virtual machines. The prevailing risk factor was the reliance on a single, proprietary relayer implementation to manage critical access control logic, which is a known centralization point for systemic failure. This class of vulnerability ∞ logic flaws in custom message verification ∞ is a growing threat, often overlooked by standard audits focused solely on token contract security.

The image displays intricate blue glowing lines and points forming complex, multi-layered digital structures, rising from a dark grey, metallic-like base. These structures resemble a highly advanced circuit board or a dense network, with a shallow depth of field focusing on the central elements

Analysis

The core system compromised was the FEG Relayer contract, which failed to properly validate cross-chain messages. The attacker first leveraged a logic path that allowed the whitelisted sourceAddress parameter to be updated via a bridged message, effectively granting the attacker unauthorized control over the bridge’s operational controls. Once whitelisted, the attacker sent a malicious message to the relayer, which incorrectly processed it as a legitimate withdrawal request. This enabled the direct siphoning of FEG tokens from the bridge contract across Ethereum, Base, and BSC without a corresponding deposit.

A series of white, conical interface modules emerge from a light grey, grid-patterned wall, each surrounded by a dense, circular arrangement of dark blue, angular computational blocks. Delicate white wires connect these blue blocks to the central white module and the wall, depicting an intricate technological assembly

Parameters

  • Total Funds Stolen ∞ $1,000,000 USD – Approximate value of FEG tokens withdrawn across three chains.
  • Affected BlockchainsEthereum, Base, and BSC – The three networks where the bridge relayer was compromised.
  • Attack Vector Type ∞ Cross-Chain Message Verification Flaw – A logic error in validating the authenticity of a bridged message.
  • Post-Exploit Action ∞ Funds Sent to Tornado Cash – The primary method used by the attacker to obscure the trail of stolen assets.

The image presents an abstract, three-dimensional rendering of interconnected, layered components in white, dark grey, and translucent blue. Smooth, rounded structural elements interlock with transparent blue channels, creating a sense of dynamic flow and precise engineering

Outlook

Immediate mitigation requires all similar protocols utilizing custom cross-chain relayer logic to conduct a deep, line-by-line audit of all message validation and access control functions. The incident reinforces the systemic contagion risk inherent in multi-chain deployments, where a single logic flaw can be weaponized across all connected ecosystems. This event will likely establish a new security best practice mandating formal verification or multi-party consensus for all critical bridge operational updates, moving beyond simple code reviews.

The image displays an abstract, three-dimensional mechanical structure, predominantly white with intricate blue translucent block-like elements embedded throughout. It features a central cylindrical component surrounded by radially arranged segments, all interconnected by white frameworks and blue crystalline structures

Verdict

The FEG Bridge exploit confirms that custom cross-chain relayer logic remains a high-risk, single-point-of-failure, prioritizing speed over security and inviting catastrophic asset loss.

Cross-chain bridge security, Relayer contract logic, Message verification flaw, Access control bypass, Multi-chain exploit, Token withdrawal without deposit, Smart contract vulnerability, Blockchain interoperability risk, Bridging protocol failure, Decentralized finance risk, Code-level oversight, On-chain forensic analysis, Systemic contagion vector, Layer one security, Asset loss incident. Signal Acquired from ∞ certik.com

Micro Crypto News Feeds

relayer contract

Definition ∞ A relayer contract is a smart contract that facilitates communication and transaction execution between different blockchain networks or protocols.

message verification

Definition ∞ Message verification is the cryptographic process of confirming the authenticity and integrity of a digital message or transaction.

cross-chain

Definition ∞ Cross-chain refers to the ability of different blockchain networks to communicate and interact with each other.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

systemic contagion

Definition ∞ Systemic contagion describes the rapid spread of financial distress from one entity to others throughout a market or system.

asset loss

Definition ∞ Asset Loss denotes the depletion of value or disappearance of digital or physical assets.

Tags:

Tags: