Avalanche Vulnerability Report

How We Discovered A $350M Risk

Posted by Statemind on September 16, 2022 · 6 mins read

Avalanche Vulnerability Report: How We Discovered A $350M Risk

On September 4, 2022, Statemind reported a critical vulnerability as a result of widespread research across more than ten top blockchain protocols.

Statemind regularly conducts such exercises in an effort to make the crypto ecosystem a safer and more secure place and gain both invaluable data and experience.

The discovery turned into a situation where Statemind became the center of a cryptocurrency community investigation and saved Avalanche, Abracadabra, and SushiSwap an estimated $350M+ in potential losses.

In this blog post, we will explain exactly how the critical vulnerability was found, what the vulnerability was, and the steps Statemind and the developers took to protect the crypto community.

What Our Research Turned Up: A Critical Precompile Contract Vulnerability

The routine research was focused on precompile contracts. Precompile contracts enable developers to add custom functionality to the Ethereum virtual machine.

A flaw was discovered within the Avalanche C-Chain Native Asset Call precompile. The Native Asset Call precompile is a unique feature on the C-Chain connected to Avalanche Native Tokens. The vulnerability could be exploited by bad actors to call targets using blacklist-protected calls.

In a standard setting, the Native Asset Call transfers the Avalanche Native Token from the caller to the callee. It instills the precompiled contract with call data such as receiver address, AssetID, amount of the transfer, and more. What we discovered was a case where contracts allowed users to provide a callback address and failed to filter out the precompile from the blacklist.

The vulnerability was the result of ineffective validation checks and was discovered in often-overlooked precompiled contracts used to save time and money. Despite the rather mundane-sounding call, due to the complexity of the issue and the value at stake, the importance of the discovery cannot be understated.

How The Report Was Made: Crypto Development Community Demands Answers

Once discovered, the Statemind team made an anonymous tip to ImmuneFi, hoping to have the most immediate impact and get the attention of developers quickly. What we didn’t expect was the sudden support from the crypto development community and an investigation that uncovered Statemind as the white hat tipster.


SushiSwap core dev Matthew Lilley was the first to vocalize the discovery of the “attack vector” publicly. Lilley revealed at the time that the SushiSwap team was able to verify the vulnerability report from ImmuneFi, and quickly got to work in spreading the word across the dev community and coordinating a fix.

Ava Labs launched a patch that refused future interaction with the Native Asset Call and immediately coordinated with node operators across the globe. Only hours later, and despite a holiday weekend, a majority of the stake upgraded and stopped further exploitation of the precompile contract vulnerability.

The Avalanche community and key developers continued to look into the anonymous white hat hacker, and ultimately we decided to come forward to confirm the reports. Statemind was directly named on social media and on the official Medium blog of Ava Labs.


How Much Money Was At Stake? Discovery Prevents $350M+ In Estimated Damages

Ava Labs’ Head of Engineering Patrick O’Grady confirmed Statemind as the anonymous white hat tipster who stepped in and stopped any significant losses or damages.

After gathering information related to the potential impact, estimated damages reached over $350M across the Avalanche ecosystem. $300M worth of MIM tokens and an additional $3M in user funds in Abracadabra, plus $60M in NXUSD tokens, and roughly $100K in funds from SushiSwap, were part of the grand totals.

The overall complexity and massive possible losses prevented are in the top three most significant instances of such critical security flaws. Statemind is proud to have contributed to protecting the cryptocurrency community and ensuring the highest standards in code across the industry.


Developers who avoided what could have been an extremely harmful situation were ultimately grateful for Statemind’s systematic research and what it turned up. For example, the official Abracadabra Twitter publicly expressed its thanks to Statemind for its contribution.

What We Do: How Statemind Seeks To Raise The Bar On Security Standards

As a leading blockchain security auditing team with over 100,000 LoC of Solidity and Vyper experience combined, we have secured over $10B in TVL, and this latest vulnerability is the type of situation we work to snuff out before they turn into irreversible losses or damages.

Last month, we placed 14th in the Paradigm CTF 2022. Our expertise comes from a team of versatile development specialists who are well-versed in blockchain security risks, threats, and how to protect against code-related issues proactively.

We are appreciative of the bounty the development community has extended to Statemind as a thank you. Our goal is ultimately to make the crypto community as safe as possible and without the unnecessary risk that could be prevented with an in-depth security audit.

In the future, you will continue to hear about Statemind’s contributions to the blockchain space. Current clients include LIDO, Yearn.Finance, and 1INCH network.