Summary
exploitation MEC token supply
Med Version
No response
Chain ID
No response
Affected Module
ME-Hub, SDK/API, Explorer/UI
What happened?
Successful exploitation would result in uncontrolled inflation of the MEC token supply, destroying the economic value of all existing token holdings. This represents a systemic risk to the entire MEC ecosystem and could lead to complete loss of confidence in the platform.
Reproduction Steps
1.Add idempotency checks to the resetExponent() function to prevent re-execution
2.Implement upgrade handler state tracking to ensure each upgrade can only execute once
3.Increase governance voting period from 120 seconds to a secure minimum duration
4.Add multi-signature requirements for protocol upgrade execution
5.Implement circuit breakers for abnormal token supply changes
Expected Behavior
The resetExponent() function in app/upgrade_v47.go of the ME Hub blockchain core multiplies ALL account balances by 99x during a protocol upgrade. This function lacks an idempotency check, meaning it can be re-triggered through a governance proposal. When combined with a free gas bypass mechanism and the short 120-second governance voting period, an attacker could execute the following attack chain: exploit free gas to submit a governance proposal, wait for the 120-second voting period to expire, re-trigger the upgrade handler, and cause a 99x multiplication of all token balances, resulting in hyperinflation and economic destruction of the MEC token.
Is it consistently reproducible?
Yes
Relevant log output
# Source: github.com/openmetaearth/meta-earth
# File: app/upgrade_v47.go
# Vulnerable function pattern:
func resetExponent() {
// Multiplies ALL account balances by 99x
// NO idempotency check - can be re-triggered
// via governance proposal
}
# GitHub Issue #11 - Status: OPEN (unpatched)
# Attack Chain:
# 1. Free gas bypass -> submit governance proposal
# 2. 120-second voting period expires
# 3. Re-trigger upgrade -> 99x mint
# 4. Economic destruction via hyperinflationScreenshots or attachments
No response
Additional Context
No response
Summary
exploitation MEC token supply
Med Version
No response
Chain ID
No response
Affected Module
ME-Hub, SDK/API, Explorer/UI
What happened?
Successful exploitation would result in uncontrolled inflation of the MEC token supply, destroying the economic value of all existing token holdings. This represents a systemic risk to the entire MEC ecosystem and could lead to complete loss of confidence in the platform.
Reproduction Steps
1.Add idempotency checks to the resetExponent() function to prevent re-execution
2.Implement upgrade handler state tracking to ensure each upgrade can only execute once
3.Increase governance voting period from 120 seconds to a secure minimum duration
4.Add multi-signature requirements for protocol upgrade execution
5.Implement circuit breakers for abnormal token supply changes
Expected Behavior
The resetExponent() function in app/upgrade_v47.go of the ME Hub blockchain core multiplies ALL account balances by 99x during a protocol upgrade. This function lacks an idempotency check, meaning it can be re-triggered through a governance proposal. When combined with a free gas bypass mechanism and the short 120-second governance voting period, an attacker could execute the following attack chain: exploit free gas to submit a governance proposal, wait for the 120-second voting period to expire, re-trigger the upgrade handler, and cause a 99x multiplication of all token balances, resulting in hyperinflation and economic destruction of the MEC token.
Is it consistently reproducible?
Yes
Relevant log output
Screenshots or attachments
No response
Additional Context
No response