LibertiVault Reentrant Share Inflation

2. Key Background

• Environment: Polygon clone-wallet ecosystem with EIP-1167 minimal proxies and shared implementation logic.
• Protocol context: sampled victim clones share homogeneous runtime code and extract implementation 0x10d0e9755c67ab37089acb4f51e8b4ee407fe853.
• Security-critical path: implementation initialize(address,bytes) both upgrades beacon state and executes payload logic via delegatecall.
• Asset: Polygon TEL token 0xdf7837de1f2fa4631d716cf2502f8b230f1dcc32.
• ACT pre-state sigma_B: publicly reconstructible state immediately before attacker contract deployment tx (0xa1136f...) at block 51546460, with adversary and clone states inferable from on-chain txlists/traces.

3. Vulnerability Analysis & Root Cause Summary

Root cause category is ATTACK. The broken invariant is: clone wallets must not allow arbitrary external parties to perform first initialization and control beacon/delegatecall execution paths. In this incident, uninitialized clones accepted external initialize(address,bytes) calls and processed attacker-chosen beacon/payload data. The code-level breakpoint is selector 0xd1f57894 (initialize(address,bytes)) in the clone implementation path, where attacker-provided inputs were accepted on uninitialized instances. Trace evidence shows each exploit call pattern as clone::initialize(0x10e5..., 0xa8b89898) followed by delegatecall execution that transfers TEL to 0xdb4b.... This was deterministic and repeatable across a nonce-ordered 14-tx sequence. The exploit required no privileged keys and no protocol-admin access, only permissionless transaction submission.

4. Detailed Root Cause Analysis

4.1 Invariant and breakpoint

• Invariant: first initialization authority for live wallet clones must be restricted to trusted deployment flow.
• Breakpoint operation: initialize(address,bytes) on uninitialized clone accepts adversary-controlled beacon and payload, then runs delegatecall side effects.

Snippet (victim implementation decompile):

/// selector 0xd1f57894
function Unresolved_d1f57894(address arg0, uint256 arg1) public payable {
    ...
    (bool success, bytes memory ret0) = address(arg0).Unresolved_5c60da1b(var_g); // staticcall
    ...
    store_b = (address(arg0) * 0x01) | (uint96(store_b));
    emit Event_1cf3b03a(address(arg0));
    ...
    require(!(bytes1(store_a / 0x01)), "Initializable: contract is already initialized");
}

4.2 Attacker payload mechanics

Snippet (attacker helper decompile):

/// selector 0xa8b89898
function Unresolved_a8b89898() public {
    require(address(tx.origin) == 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7);
    ...
    (bool success, bytes memory ret0) = address(0xdf7837de1f2fa4631d716cf2502f8b230f1dcc32)
        .Unresolved_a9059cbb(var_f); // transfer TEL to attacker
}

4.3 On-chain execution evidence

Snippet (Polygon exploit-batch trace, tx 0xf479...):

0xFa1BB0...::initialize(0x10E5C8..., 0xa8b89898)
  -> 0x10d0E9...::initialize(... ) [delegatecall]
     -> emit BeaconUpgraded(param0: 0x10E5C8...)
     -> 0x10E5C8...::a8b89898() [delegatecall]
        -> UChildERC20::transfer(0xDB4B84..., 86400339) [delegatecall]
        -> emit Transfer(from: 0xFa1BB0..., to: 0xDB4B84..., value: 86400339)

State delta evidence in the same tx (0xf479...) confirms victim depletion and attacker gain:

• 0xfa1bb0... TEL: 86400339 -> 0
• 0xdb4b... TEL: 321401808682 -> 323517315421 (+2115506739)

4.4 Deterministic ACT conditions

Exploit conditions from the validated analysis:

• Target clone uninitialized at call time.
• Target clone holds transferable TEL.
• Attacker can submit initialize(address,bytes) with attacker-controlled beacon and payload.

Security principles violated:

• Initialization authority was not restricted to trusted deployer/factory context.
• Critical upgrade/delegatecall path was exposed to arbitrary first caller.

5. Adversary Flow Analysis

5.1 Adversary and victim set

• Adversary EOA: 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7 (sender of deploy and exploit batches).
• Adversary helper: 0x10e5c8d3537856f141272e1c39befdab4dd8bde0 (deployed by 0xdb4b...).
• Sample victim clones: 0xfa1bb0..., 0x0c8d4f....
• Shared implementation sample: 0x10d0e9755c67ab37089acb4f51e8b4ee407fe853.

5.2 Lifecycle stages and transactions

1. Adversary contract deployment:

• Polygon tx 0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b (block 51546461) creates 0x10e5....

2. Batch clone takeover and drain:

• Polygon exploit sequence includes txs from nonce 6..19.
• Sequence status: 14/14 successful traces in label 0x3bb145b1_nonce_order_n6_to_n19.
• First/last representative exploit txs: 0x35f508... and 0xf479fe....
• Cumulative TEL to attacker before burn: 323517315421.

3. Bridge exit and monetization:

• Polygon burn tx: 0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf (31932362500 TEL burn).
• Ethereum exit tx: 0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e (matched to Polygon burn proof).
• Ethereum approve tx: 0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63.
• Ethereum swap tx: 0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45.

5.3 Transaction sequence b (from ACT definition)

1. 137:0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b
2. 137:0x35f50851c3b754b4565dc3e69af8f9bdb6555edecc84cf0badf8c1e8141d902d
3. 137:0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c
4. 137:0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf
5. 1:0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e
6. 1:0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63
7. 1:0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45

6. Impact & Losses

Validated impact metrics:

• Gross TEL inflow to attacker on Polygon exploit batches: 323517315421 TEL.
• Burned on Polygon for bridge exit: 31932362500 TEL.
• Received from Ethereum swap path: 37494468852942501684 wei ETH.

The direct security impact is unauthorized control/takeover of uninitialized clone wallets and extraction of wallet-held TEL balances. Scope spans multiple clone instances sharing the vulnerable initialization surface.

7. References

Primary evidence artifacts:

• Upstream trace status summary: artifacts/collector/iter_4/analysis/upstream_3bb145b1_trace_status.json
• Exploit trace sample (0xf479...): artifacts/collector/iter_4/tx/137/0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c/trace.cast.log
• Implementation decompile (0x10d0...): artifacts/collector/iter_4/contract/137/0x10d0e9755c67ab37089acb4f51e8b4ee407fe853/decompiled.sol
• Attacker helper decompile (0x10e5...): artifacts/collector/iter_4/contract/137/0x10e5c8d3537856f141272e1c39befdab4dd8bde0/decompiled.sol
• Clone bytecode homogeneity: artifacts/collector/iter_4/analysis/f479_array_bytecode_summary.json
• Creator/factory linkage: artifacts/auditor/iter_4/evidence/polygon_contract_creation_sample.json
• TEL flow accounting: artifacts/collector/iter_4/analysis/upstream_3bb145b1_balance_diff_flow_summary.json
• Exit payload decoding and child tx mapping: artifacts/collector/iter_3/analysis/exit_payload_decoding_summary.json
• Ethereum swap balance diff: artifacts/collector/iter_2/tx/1/0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45/balance_diff.json
• Deterministic attacker TEL snapshots: artifacts/auditor/iter_5/evidence/polygon_tel_balance_snapshots_db4b.json

Complete relevant tx set (role-tagged in root_cause.json):

• Related: 1:0xf5b9d6939bbf972ad7f771e9a1633669f393f8063c4a4e4b123640ce5e622557, 1:0xa08a39160c0554d815801bf0b08b457e36ae9ce68ea5172a2fe65f8fdade8967, 137:0xbc4baf16eda2da549eb198484e174e81a0d91e63085778d5da1bdbcf97f7c8f0.
• Adversary-crafted: 137:0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b, 137:0x35f50851c3b754b4565dc3e69af8f9bdb6555edecc84cf0badf8c1e8141d902d, 137:0x0b2c7e34152d3b71bf79c2e048c78004581c21c519562374f2af7f3deab1c0c3, 137:0x022150fa5b660c1f4f6f911dbd8ca0d483c2876ce784c8ea1e2a57f60de5eac9, 137:0x9f15cd029676ec339ad9a3c1528b7f54591c1a4c6d8ad9f7baf9ba89f4c1349a, 137:0x1b99e0826e4d23e77321e811a276138ab3da2bb0284f76ed15f49c61dbecfbed, 137:0x8a6cb45686c9aaef9f2950f1202ca8ced7929ad9f5174da96bdd06eb98b7cbb2, 137:0x919034799171c1dace0b4c0d0ce29e810ea8077a80109622a897d112f6fe4be6, 137:0x09391f982c3281f21a8e35ba879d1827f10995eda236e70868b085a8e5d39442, 137:0xee4e25d690d56aa77446e18422ba26ffb6d4ca3531b81ae3fbc478330a3ab7c0, 137:0xde55e877784385db0060d96de547b5d30aecd01c3fb4c8958fef2096b6792fc3, 137:0x2562bb2f2b727d9987af4e77c253934889ffc9cb1b23f46c28b20f289e6ad42c, 137:0x7e37cb018d60c570ad28c8a854bb0bcc93b3f0718b863571ede983f30f7e1211, 137:0x911abcc4067fdf6a993644623d9d8b5f9ca94c9dd805eb5fa90be2d26ab4b7c6, 137:0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c, 137:0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf, 1:0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e, 1:0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63, 1:0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45.