Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The cross-chain bridge for the Binance Coin (BNB) on the Binance Smart Chain (BSC) was hacked. An attacker drained 2 million in BNB (566 million in USD). How did this happen? Let's follow the twitter thread!

While reviewing the transactions of the attacker account, they noticed a large amount of funds that went into Venus. While reviewing the transaction from the Binance Bridge, it was clear: the bridge had been convinced to send the attacker 1 million BNB. So, it appears that the bridge has a bug in it.

What reconnaissance can we do before checking the code of the project? The samczsun noticed that the height of the transaction was always the same and much smaller than expected. Additionally, the withdrawal proof was sustainability shorter. It appears there is something wrong with how the proof is determining if a transaction is valid or not.

The Binance bridge was keeping track of the state using a self balancing tree algorithm called an AVL tree, with a twist of being immutable - IAVL While doing the verification of the operations, there are two expected operations: iavl:v and multistore. To succeed, both operations need to succeed.

The verification process was busted. But how? The input of the multistore operation is the output for the iavl:v operation. The function COMPUTEHASH is used to go down every path and lead node to do the verification. Since a single bit change will change the way this works, it is not realistic to trick the hash function. In particular, if we want to forge a proof, the path and leaf pair will need to stay the same.

For the root node in the Merkle proof, the code needs to verify each node in the chain. However, there is a slight optimization bug. If there is a left node, the right node is NOT validated. As a result, we can place an arbitrary node into the tree WITHOUT it getting validated. This functionality is described in the The PR to fix the vulnerability on Github.

Since we can add an arbitrary right node, all we have to do is add a leaf node to the right side with a blank inner node. By tweaking the leaf to exit early, we can still get a correct root hash despite altering the chain maliciously.

Wow, this was literally an issue with the core blockchain framework itself. When doing the cross-chain communication, the BSC keeps track of the state of the root hash of the other chain (Binance Chain). The bypass of the verification allowed for the creation of money that never existed.

Overall, a super interesting vulnerability that shouldn't have been possible. Things this big and impactful really should be tested thoroughly via dynamic testing and code review.