Port3: The theft was caused by a boundary condition validation vulnerability in the cross-chain token solution CATERC20; tokens will be reissued using a new contract.

Foresight News reported that Port3 Network has released an analysis report on the hacking incident. PORT3 adopted NEXA's CATERC20 cross-chain token solution, which contains a boundary condition verification vulnerability. When token ownership is renounced, the value returned by this function is 0, which happens to match the ownership verification condition. As a result, ownership verification fails, making unauthorized access possible. This issue was not pointed out in the CATERC20 audit report. Since Port3 tokens had previously renounced ownership to achieve greater decentralization, they were left in this vulnerable state.

The hacker discovered this authorization verification vulnerability in the PORT3 contract and initiated a RegisterChains operation, registering their own address as an address authorized to execute the BridgeIn operation. Meanwhile, the hacker deployed a forged token on the Arbitrum One chain and initiated a cross-chain transaction. Due to the vulnerability in the Port3 token contract on the BSC side, the verification was erroneously passed, resulting in 1 billion tokens being mistakenly minted. Subsequently, the hacker sold these tokens on a decentralized exchange (DEX), causing a rapid price crash. Port3 has contacted major exchanges to request the suspension of deposits and withdrawals. Next, the team will resolve this issue by reissuing tokens using a new contract.