This most recent BNB Chain exploit and the actions taken by Binance in response may have limited the harm, but the community is once again faced with the same decentralization conundrum.
Sam Sun, head of security at Paradigm, claims that the hacker was successful in tricking the Binance Bridge into transferring 1 million BNB tokens. After the exploit was effective, the hacker sent 1 million additional BNB tokens using the same technique, but this time to a controlled address.
In 2022, there have been three attacks against cross-chain bridges. $650 million and $100 million, respectively, were stolen during earlier attacks on the Ronin and Horizon bridges.
According to Sam Sun of Paradigm Research, the attacker convinced the Binance Bridge to transmit 1 million BNB to a controlled address.
They went through the process twice. Sun discovered that the attacker consistently utilized the same height, 110217401, while comparing their transactions with valid withdrawals. The researcher noted that legitimate withdrawals used far larger heights, such as 270822321.
He also pointed out that the attacker had “forged a proof” for that particular block, 110217401, as it was noticeably shorter than the legal withdrawal’s proof.
We need both operations to be successful in order to fabricate a proof, and we also need the last operation (the multistore) to return a fixed value (the hash of the specified block: 110217401)
Attackers targeted the BSC chain, which is where Binance Bridge supplies BSC with liquidity value.
The Binance Cross-chain bridge uses the IAVL tree to authenticate messages submitted to it.
IAVL trees are verified using a unique precompile contract that Binance has. A user must define a set of “operations” in order to verify an IAVL tree. According to Sun, the Binance Bridge usually anticipates two of them: a “iavl:v” operation and a “multistore” activity.
The hacker used a vulnerability in the IAVL TREE, the base library code of the cross-chain bridge message validation mechanism, to forge a malicious withdrawal message.
The researcher asserted that even though the attacker merely forwarded two messages, the harm may have been far worse.
Cross-Chain Attacks are the term used to describe this kind of hack.
Typically, communications generated by hackers are promptly rejected by the IAVL tree. But this time, the attacker found a flaw in the IAVL verification procedure, which allowed him to deceive the IAVL tree into accepting random messages. By meticulously crafting and forging the message, the hacker was able to remove 2M BNB from the cross-chain bridge.
In order to confirm the validity of MerkleProof, the hacker invoked the handlePackage method in the BSC cross-chain bridge contract and then called the pre-compiled contract.
Pre-compilation performs a function somewhat akin to syscall in the operating system.
The self-balancing binary search tree known as the IAVL tree was created by Georgy Adelson-Velsky and Evgenii Landis, as its name suggests.
The goal of Harbor is to promote secure Web3.0 development. Keep checking back as we routinely share internal technology and concentrate on the whole security of the blockchain security ecosystem as well as the security of operating systems, browsers, and mobile devices.
Fortunately, the real scope of the hack is thought to be far smaller as a result of the community’s containment and mitigation efforts.
But these cross-chain applications have received harsh criticism from the community. Even Vitalik Buterin, the co-founder of Ethereum, questioned “the fundamental security limits of bridges,” adding that he was “pessimistic about cross-chain applications.”