Security

FEG Bridge Drained One Million Dollars via Cross-Chain Verification Flaw

A critical logic error in the cross-chain relayer allowed an attacker to bypass deposit verification, compromising $1M across three chains.
November 19, 20253 min

The image displays a close-up of a metallic cylindrical component surrounded by a light-colored, textured framework. Within this framework, a translucent, swirling blue substance is visible, creating a sense of depth and motion
A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Briefing

The FEG Token Bridge was compromised via a critical logic flaw in its cross-chain relayer contract, allowing an attacker to mint and withdraw native FEG tokens without a corresponding deposit. This exploit fundamentally undermined the bridge’s security model, leading to immediate asset loss and a trust collapse across all affected chains. The attacker successfully siphoned approximately $1 million USD across the Ethereum, Base, and BSC networks before laundering the funds through Tornado Cash.

The image displays intricate transparent blue structures, partially adorned with granular white frost, encapsulating clusters of vibrant blue granular material. A smooth white sphere is positioned on one of the frosted blue elements

Context

Cross-chain bridges inherently represent a significant attack surface due to the complexity of secure message passing and state synchronization across disparate virtual machines. The prevailing risk factor was the reliance on a single, proprietary relayer implementation to manage critical access control logic, which is a known centralization point for systemic failure. This class of vulnerability → logic flaws in custom message verification → is a growing threat, often overlooked by standard audits focused solely on token contract security.

The image displays an intricate, three-dimensional abstract structure composed of translucent and opaque geometric forms. A central, clear cross-shaped element anchors the composition, surrounded by layered metallic and transparent components, with vibrant blue segments channeling through the right side

Analysis

The core system compromised was the FEG Relayer contract, which failed to properly validate cross-chain messages. The attacker first leveraged a logic path that allowed the whitelisted sourceAddress parameter to be updated via a bridged message, effectively granting the attacker unauthorized control over the bridge’s operational controls. Once whitelisted, the attacker sent a malicious message to the relayer, which incorrectly processed it as a legitimate withdrawal request. This enabled the direct siphoning of FEG tokens from the bridge contract across Ethereum, Base, and BSC without a corresponding deposit.

A vibrant blue, translucent, hourglass-shaped structure, filled with flowing light, dominates the frame, intersected centrally by two silver metallic rods forming an 'X' against a soft grey background. The internal blue elements suggest dynamic movement within the clear container, highlighting a complex interplay of light and form

Parameters

  • Total Funds Stolen → $1,000,000 USD – Approximate value of FEG tokens withdrawn across three chains.
  • Affected BlockchainsEthereum, Base, and BSC – The three networks where the bridge relayer was compromised.
  • Attack Vector Type → Cross-Chain Message Verification Flaw – A logic error in validating the authenticity of a bridged message.
  • Post-Exploit Action → Funds Sent to Tornado Cash – The primary method used by the attacker to obscure the trail of stolen assets.

A close-up view reveals multiple translucent blue gears meshing with silver metallic components, forming an intricate mechanical assembly. The blue gears, with their faceted surfaces, suggest advanced digital processes and programmatic logic

Outlook

Immediate mitigation requires all similar protocols utilizing custom cross-chain relayer logic to conduct a deep, line-by-line audit of all message validation and access control functions. The incident reinforces the systemic contagion risk inherent in multi-chain deployments, where a single logic flaw can be weaponized across all connected ecosystems. This event will likely establish a new security best practice mandating formal verification or multi-party consensus for all critical bridge operational updates, moving beyond simple code reviews.

A striking three-dimensional structure composed of interlocking blue and silver metallic components, forming a complex, multi-layered lattice pattern. The central focus is a dense, cross-like arrangement of these precise, reflective elements

Verdict

The FEG Bridge exploit confirms that custom cross-chain relayer logic remains a high-risk, single-point-of-failure, prioritizing speed over security and inviting catastrophic asset loss.

Cross-chain bridge security, Relayer contract logic, Message verification flaw, Access control bypass, Multi-chain exploit, Token withdrawal without deposit, Smart contract vulnerability, Blockchain interoperability risk, Bridging protocol failure, Decentralized finance risk, Code-level oversight, On-chain forensic analysis, Systemic contagion vector, Layer one security, Asset loss incident. Signal Acquired from → certik.com

Micro Crypto News Feeds

relayer contract

Definition ∞ A relayer contract is a smart contract that facilitates communication and transaction execution between different blockchain networks or protocols.

message verification

Definition ∞ Message verification is the cryptographic process of confirming the authenticity and integrity of a digital message or transaction.

cross-chain

Definition ∞ Cross-chain refers to the ability of different blockchain networks to communicate and interact with each other.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

systemic contagion

Definition ∞ Systemic contagion describes the rapid spread of financial distress from one entity to others throughout a market or system.

asset loss

Definition ∞ Asset Loss denotes the depletion of value or disappearance of digital or physical assets.

Tags:

Tags: