Summary

Whitehat Yash Sodha submitted a critical vulnerability in Bitswift to Immunefi on May 9. The race condition vulnerability would have allowed a malicious user to repeatedly claim the same voucher, which entitles a user to some amount of crypto tokens. In summary, a hacker could have potentially sent high frequency claim requests in parallel to Bitswift’s claim faucet and received more crypto-assets than the hacker was entitled to. This vulnerability was not exploited. Bitswift disabled the claim faucet function and immediately worked to implement a fix. Bitswift paid a $5,710 CAD bounty to the whitehat for disclosing the vulnerability.

Vulnerability Analysis

When a user makes a voucher claim with a cryptocurrency coinid via the Bitswift web application, an HTTP POST request is made to https://bitswift.cash:8443/claim. However, a race condition exists that allows a user to send the request multiple times, and two or more of the requests for the same voucher may succeed if they were sent in parallel.

The POST is as follows:

POST /claim HTTP/1.1Host: bitswift.cash:8443Connection: keep-aliveContent-Length: 61sec-ch-ua: “Chromium”;v=”92", “ Not A;Brand”;v=”99", “Google Chrome”;v=”92"Authorization: REDACTEDsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4491.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://bitswift.cashSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://bitswift.cash/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9{“coinid”:8,”token”:”iJEUih4uihwUIheUILglrv612tf3zg5rjkqwej”}

The step by step walkthrough of this exploit is illustrated below:

1. Visit https://bitswift.cash/holdings

2. Click on claim

3. Click the claim button on any currency and intercept the request

4. Send the request multiple times using Turbo Intruder

Vulnerability Fix

Following the report, Bitswift immediately disabled the claim faucet functions and alerted its users via social media channels. Bitswift has now implemented methods to secure the faucet and claim functions in an effort to bring them back online. The rest of the platform (imports / exports / balances) remained online and functional through this time.

Bitswift remains actively engaged with Immunefi to ensure its platforms and services remain the best in its class.

Acknowledgements

We’d like to thank the Bitswift team for implementing a fix and paying out a critical-level bounty to Yash Sodha. Bitswift would like to thank Immunefi for working together to make Bitswift.cash a safer place for all users. To report additional vulnerabilities, please see Bitswift’s bug bounty program with Immunefi.

If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.

If you’re interested in protecting your project with a bug bounty like Bitswift, visit the Immunefi services page and fill out the form.