Security

FEG Bridge Drained One Million Dollars via Cross-Chain Verification Flaw

A critical logic error in the cross-chain relayer allowed an attacker to bypass deposit verification, compromising $1M across three chains.
November 19, 20253 min

A close-up view captures a futuristic device, featuring transparent blue cylindrical and rectangular sections filled with glowing blue particles, alongside brushed metallic components. The device rests on a dark, reflective surface, with sharp focus on the foreground elements and a soft depth of field blurring the background
The image displays an intricate, three-dimensional abstract structure composed of translucent and opaque geometric forms. A central, clear cross-shaped element anchors the composition, surrounded by layered metallic and transparent components, with vibrant blue segments channeling through the right side

Briefing

The FEG Token Bridge was compromised via a critical logic flaw in its cross-chain relayer contract, allowing an attacker to mint and withdraw native FEG tokens without a corresponding deposit. This exploit fundamentally undermined the bridge’s security model, leading to immediate asset loss and a trust collapse across all affected chains. The attacker successfully siphoned approximately $1 million USD across the Ethereum, Base, and BSC networks before laundering the funds through Tornado Cash.

The image displays intricate blue glowing lines and points forming complex, multi-layered digital structures, rising from a dark grey, metallic-like base. These structures resemble a highly advanced circuit board or a dense network, with a shallow depth of field focusing on the central elements

Context

Cross-chain bridges inherently represent a significant attack surface due to the complexity of secure message passing and state synchronization across disparate virtual machines. The prevailing risk factor was the reliance on a single, proprietary relayer implementation to manage critical access control logic, which is a known centralization point for systemic failure. This class of vulnerability → logic flaws in custom message verification → is a growing threat, often overlooked by standard audits focused solely on token contract security.

A bright white spherical object, segmented and partially open to reveal a smaller inner sphere, is centrally positioned. It is surrounded by a dense, radial arrangement of sharp, angular geometric forms in varying shades of blue and dark blue, receding into a blurred light background, creating a sense of depth and intricate protection

Analysis

The core system compromised was the FEG Relayer contract, which failed to properly validate cross-chain messages. The attacker first leveraged a logic path that allowed the whitelisted sourceAddress parameter to be updated via a bridged message, effectively granting the attacker unauthorized control over the bridge’s operational controls. Once whitelisted, the attacker sent a malicious message to the relayer, which incorrectly processed it as a legitimate withdrawal request. This enabled the direct siphoning of FEG tokens from the bridge contract across Ethereum, Base, and BSC without a corresponding deposit.

A futuristic mechanical device, composed of metallic silver and blue components, is prominently featured, partially covered in a fine white frost or crystalline substance. The central blue element glows softly, indicating internal activity within the complex, modular structure

Parameters

  • Total Funds Stolen → $1,000,000 USD – Approximate value of FEG tokens withdrawn across three chains.
  • Affected BlockchainsEthereum, Base, and BSC – The three networks where the bridge relayer was compromised.
  • Attack Vector Type → Cross-Chain Message Verification Flaw – A logic error in validating the authenticity of a bridged message.
  • Post-Exploit Action → Funds Sent to Tornado Cash – The primary method used by the attacker to obscure the trail of stolen assets.

The image displays a detailed, close-up view of a complex, three-dimensional structure composed of interlocking metallic blocks in shades of blue, silver, and black. A prominent, reflective dark blue tube-like element gracefully traverses and loops above this intricate assembly, creating a sense of dynamic flow and connection

Outlook

Immediate mitigation requires all similar protocols utilizing custom cross-chain relayer logic to conduct a deep, line-by-line audit of all message validation and access control functions. The incident reinforces the systemic contagion risk inherent in multi-chain deployments, where a single logic flaw can be weaponized across all connected ecosystems. This event will likely establish a new security best practice mandating formal verification or multi-party consensus for all critical bridge operational updates, moving beyond simple code reviews.

Two sleek, white, modular electronic devices with intricate, glowing blue internal circuitry are depicted in a close-up, facing each other. A vibrant burst of luminous blue particles emanates from one device and flows towards the other, signifying a dynamic exchange

Verdict

The FEG Bridge exploit confirms that custom cross-chain relayer logic remains a high-risk, single-point-of-failure, prioritizing speed over security and inviting catastrophic asset loss.

Cross-chain bridge security, Relayer contract logic, Message verification flaw, Access control bypass, Multi-chain exploit, Token withdrawal without deposit, Smart contract vulnerability, Blockchain interoperability risk, Bridging protocol failure, Decentralized finance risk, Code-level oversight, On-chain forensic analysis, Systemic contagion vector, Layer one security, Asset loss incident. Signal Acquired from → certik.com

Micro Crypto News Feeds

relayer contract

Definition ∞ A relayer contract is a smart contract that facilitates communication and transaction execution between different blockchain networks or protocols.

message verification

Definition ∞ Message verification is the cryptographic process of confirming the authenticity and integrity of a digital message or transaction.

cross-chain

Definition ∞ Cross-chain refers to the ability of different blockchain networks to communicate and interact with each other.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

systemic contagion

Definition ∞ Systemic contagion describes the rapid spread of financial distress from one entity to others throughout a market or system.

asset loss

Definition ∞ Asset Loss denotes the depletion of value or disappearance of digital or physical assets.

Tags:

Tags: