Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The BNB Beacon Chain is the governance and staking layer of the BNB Chain. They use a fork of the Cosmos SDK with many modifications.

One of the more sensitive parts is the coin type. In the original Cosmos SDK, it uses a safe bigInt wrapper instead of native types. However, in the fork, they use the int64 type for efficiency reasons. Because of this, integer overflows and underflows are possible when not checked.

The message MsgSend is used for simple 1-to-1 token transfers with multiple outputs. To prevent theft, a loop is performed to ensure that the amount being sent is enough for what the user possesses. Verification is done to ensure that the inputs of the system match the outputs of the system.

Using integer overflows, the verification above is trivial to bypass. In particular, we can send out way more tokens than we own by making the inputs and outputs match after the overflow. This results in the ability to create tokens out of thin, breaking the blockchains security.

The solution was to patch their fork of the library to not allow overflows in the future. Overall, a fairly simple vulnerability in a popular project.