Overview:
On October 7, 2022 there was an exploit affecting Native cross chain bridge It is called “BSC Token Hub”. The bug is in the bridge’s proof he verifier. With a total of 2 million BNB withdrawn, Binance temporarily suspended his BSC network to prevent further damage. Funding acquired from BSC is estimated at $110 million from $100 million.
Introducing Binance Smart Chain and Token Hub Bridge:
Binance Smart Chain (BSC) is a blockchain-based network used to run applications based on smart contracts. BSC works side-by-side with Binance’s native Binance Chain (BC), allowing users to take advantage of BC’s rapid trading capabilities and BSC’s smart contract capabilities.
- BNB beacon chain (Old Binance Chain) – BNB chain governance (staking, voting)
- BNB Smart Chain (BSC) (formerly Binance Smart Chain) – EVM compatible, consensus layer, hub to multichain
For more information, see our article.
BSC Token Hub:
BSC token hub cross chain bridge Between the BNB beacon chain (BEP2) and the BNB chain (BEP20 or BSC).check the formula documentation For more information, please visit Binance.
Vulnerability analysis and impact:
Attack transaction details:
Hacker Address: 0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec
First Txn Hash: 0xebf83628ba893hd35b496121fb8201666b8e09f3cbadf0e269162baa72efe3b8b
Second Txn Hash: 0x05356fd06ce56a9ec5b4eaf9c075abd740cae4c21eab1676440ab5cd2fe5c57a
BSC Token Hub Contract: 0x00000000000000000000000000000000001004
Original Txn hash (block height is 110217401): 0x79575ff791606ef2c7d69f430d1fee1c25ef8d56275da94e6ac49c9c4cc5f433
defect:
BSC Token Hub uses compiled contracts to validate IAVL (Immutable AVL) trees when performing cross-chain transaction validation. The exploiter took advantage of a bug in proof validation logic that adapts legitimate proofs to create Bridge Mint 2M BNB.
The root cause seems to be this line:
The problem is that lpath.Right may not be used in calculating the root hash of the tree.
To fix this you need to change the line
from:
```
if !bytes.Equal(derivedRoot, lpath.Right) ...
to something like:
“`
To:
```
expectedHash := lpath.Left
if len(lpath.Left) == 0 {
expectedHash = lpath.Right }
if !bytes.Equal(derivedRoot, expectedHash) ...
“`
attack:
1. The attacker constructed a payload as a leaf node to verify the IAVL tree using the hash of a successfully transmitted block created two years ago (given block: 110217401).You can find the details of this original transaction here.
2. The attacker injected a leaf node containing the current packageSequence as Key and the malicious payload hash as Value (i.e. issue 1M BNB to the address). Then I added an empty inner node to the leaf to satisfy the implementation proof.
3. The attacker sets the left path to the right with the hash of the leaf node he just created to make the root hash equal to the successfully transmitted root hash, and finally the withdrawal proof for a given block. I built it and sent the transaction.
4. After successfully submitting a transaction and receiving $1 million in BNB. The attacker repeated this procedure and he also won 1 million BNB. The sum totaled him 2 million BNB, or $570 million.
The attacker tried 17 times to mint 1M BNB, failed 15 times, and was only able to mint 2M BNB. The reason for this is that there was a conflict with another legitimate transaction that front-ran the exploiter tx using the same packageSequence.
After exploit:
Hours after the attack, the CEO of Binance CZ announced the incident in a tweet and shut down the BSC network to prevent further damage.
A few hours later, Binance fixed the issue with their latest release v1.1.15. By blacklisting the attacker’s address, we blocked the flow of the attacker’s funds.
Binance recently blacklisted the attacker’s address devoted.
Funding status:
Current assets held by attackers in various chains:
Flow of funds:
Image source: https://twitter.com/BeosinAlert/status/1578290676793384961/photo/1
Further references/credits:
https://github.com/emilianobonassi/bsc-hack-analysis-2022-10-06
Web3 Security – Needed Now
Why QuillAudit for Web3 Security?
quill audit has the tools and expertise to deliver cybersecurity solutions that prevent millions of dollars from being lost.
403 view
0 Comments