Security

FEG Bridge Drained One Million Dollars via Cross-Chain Verification Flaw

A critical logic error in the cross-chain relayer allowed an attacker to bypass deposit verification, compromising $1M across three chains.
November 19, 20253 min

A striking three-dimensional structure composed of interlocking blue and silver metallic components, forming a complex, multi-layered lattice pattern. The central focus is a dense, cross-like arrangement of these precise, reflective elements
A prominent abstract digital structure dominates the frame, featuring an elongated central body meticulously constructed from numerous small, varied blue rectangular and cubic elements. This core is intricately enveloped by thin silver metallic wires and a thicker, smooth white rod, both spiraling around it and connecting to an array of glossy white spheres distributed throughout the composition

Briefing

The FEG Token Bridge was compromised via a critical logic flaw in its cross-chain relayer contract, allowing an attacker to mint and withdraw native FEG tokens without a corresponding deposit. This exploit fundamentally undermined the bridge’s security model, leading to immediate asset loss and a trust collapse across all affected chains. The attacker successfully siphoned approximately $1 million USD across the Ethereum, Base, and BSC networks before laundering the funds through Tornado Cash.

Interconnected white and transparent blue cylindrical modules form a linear chain, with the blue sections revealing intricate glowing internal structures. A prominent central connection highlights a metallic shaft joining two modules, one opaque white and the other translucent blue

Context

Cross-chain bridges inherently represent a significant attack surface due to the complexity of secure message passing and state synchronization across disparate virtual machines. The prevailing risk factor was the reliance on a single, proprietary relayer implementation to manage critical access control logic, which is a known centralization point for systemic failure. This class of vulnerability → logic flaws in custom message verification → is a growing threat, often overlooked by standard audits focused solely on token contract security.

The image displays an intricate, three-dimensional abstract structure composed of translucent and opaque geometric forms. A central, clear cross-shaped element anchors the composition, surrounded by layered metallic and transparent components, with vibrant blue segments channeling through the right side

Analysis

The core system compromised was the FEG Relayer contract, which failed to properly validate cross-chain messages. The attacker first leveraged a logic path that allowed the whitelisted sourceAddress parameter to be updated via a bridged message, effectively granting the attacker unauthorized control over the bridge’s operational controls. Once whitelisted, the attacker sent a malicious message to the relayer, which incorrectly processed it as a legitimate withdrawal request. This enabled the direct siphoning of FEG tokens from the bridge contract across Ethereum, Base, and BSC without a corresponding deposit.

A detailed view of a complex, three-dimensional lattice structure composed of polished metallic rods and vibrant blue, spiraling connectors. The central elements are in sharp focus, showcasing intricate connections, while the background blurs into a diffuse blue glow

Parameters

  • Total Funds Stolen → $1,000,000 USD – Approximate value of FEG tokens withdrawn across three chains.
  • Affected BlockchainsEthereum, Base, and BSC – The three networks where the bridge relayer was compromised.
  • Attack Vector Type → Cross-Chain Message Verification Flaw – A logic error in validating the authenticity of a bridged message.
  • Post-Exploit Action → Funds Sent to Tornado Cash – The primary method used by the attacker to obscure the trail of stolen assets.

A stylized three-dimensional object, resembling an 'X', is prominently displayed, composed of interlocking transparent blue and frosted clear elements with polished metallic accents. The structure sits angled on a reflective grey surface, casting a soft shadow, highlighting its intricate design and material contrasts

Outlook

Immediate mitigation requires all similar protocols utilizing custom cross-chain relayer logic to conduct a deep, line-by-line audit of all message validation and access control functions. The incident reinforces the systemic contagion risk inherent in multi-chain deployments, where a single logic flaw can be weaponized across all connected ecosystems. This event will likely establish a new security best practice mandating formal verification or multi-party consensus for all critical bridge operational updates, moving beyond simple code reviews.

A futuristic, industrial-grade mechanism features two white octagonal modules interacting with a central chamber. From one module, a vibrant stream of blue crystalline material is dispensed, vigorously mixing within the chamber

Verdict

The FEG Bridge exploit confirms that custom cross-chain relayer logic remains a high-risk, single-point-of-failure, prioritizing speed over security and inviting catastrophic asset loss.

Cross-chain bridge security, Relayer contract logic, Message verification flaw, Access control bypass, Multi-chain exploit, Token withdrawal without deposit, Smart contract vulnerability, Blockchain interoperability risk, Bridging protocol failure, Decentralized finance risk, Code-level oversight, On-chain forensic analysis, Systemic contagion vector, Layer one security, Asset loss incident. Signal Acquired from → certik.com

Micro Crypto News Feeds

relayer contract

Definition ∞ A relayer contract is a smart contract that facilitates communication and transaction execution between different blockchain networks or protocols.

message verification

Definition ∞ Message verification is the cryptographic process of confirming the authenticity and integrity of a digital message or transaction.

cross-chain

Definition ∞ Cross-chain refers to the ability of different blockchain networks to communicate and interact with each other.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

verification

Definition ∞ Verification is the process of confirming the truth, accuracy, or validity of information or claims.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

systemic contagion

Definition ∞ Systemic contagion describes the rapid spread of financial distress from one entity to others throughout a market or system.

asset loss

Definition ∞ Asset Loss denotes the depletion of value or disappearance of digital or physical assets.

Tags:

Tags: