FEG Bridge Exploit Technical Analysis

On 2024-12-29 an attacker exploited a flaw in the FEG bridge relayer's cross-chain message verification to add a malicious contract to the relayer whitelist and register unauthorized withdrawals, stealing approximately $1M in FEG tokens across Ethereum, Base, and BSC before converting funds to native tokens and sending them to Tornado Cash. The issue stems from the relayer accepting bridged messages that set whitelist entries when the message payload specifies the admin user, enabling bypass of intended admin checks; the relayer contract is unverified and analysis is based on decompiled code.