Full Report
The cross-chain bridge for the Binance Coin (BNB) on the Binance Smart Chain (BSC) was hacked. An attacker drained 2 million in BNB (566 million in USD). How did this happen? Let's follow the twitter thread! While reviewing the transactions of the attacker account, they noticed a large amount of funds that went into Venus. While reviewing the transaction from the Binance Bridge, it was clear: the bridge had been convinced to send the attacker 1 million BNB. So, it appears that the bridge has a bug in it. What reconnaissance can we do before checking the code of the project? The samczsun noticed that the height of the transaction was always the same and much smaller than expected. Additionally, the withdrawal proof was sustainability shorter. It appears there is something wrong with how the proof is determining if a transaction is valid or not. The Binance bridge was keeping track of the state using a self balancing tree algorithm called an AVL tree, with a twist of being immutable - IAVL While doing the verification of the operations, there are two expected operations: iavl:v and multistore. To succeed, both operations need to succeed. The verification process was busted. But how? The input of the multistore operation is the output for the iavl:v operation. The function COMPUTEHASH is used to go down every path and lead node to do the verification. Since a single bit change will change the way this works, it is not realistic to trick the hash function. In particular, if we want to forge a proof, the path and leaf pair will need to stay the same. For the root node in the Merkle proof, the code needs to verify each node in the chain. However, there is a slight optimization bug. If there is a left node, the right node is NOT validated. As a result, we can place an arbitrary node into the tree WITHOUT it getting validated. This functionality is described in the The PR to fix the vulnerability on Github. Since we can add an arbitrary right node, all we have to do is add a leaf node to the right side with a blank inner node. By tweaking the leaf to exit early, we can still get a correct root hash despite altering the chain maliciously. Wow, this was literally an issue with the core blockchain framework itself. When doing the cross-chain communication, the BSC keeps track of the state of the root hash of the other chain (Binance Chain). The bypass of the verification allowed for the creation of money that never existed. Overall, a super interesting vulnerability that shouldn't have been possible. Things this big and impactful really should be tested thoroughly via dynamic testing and code review.
Analysis Summary
# Incident Report: Exploitation of the Binance Smart Chain (BSC) Token Hub
## Executive Summary
An attacker exploited a critical vulnerability in the Binance Bridge (Token Hub), allowing for the unauthorized minting of 2 million BNB, valued at approximately $566 million USD. The incident was caused by a logic flaw in the IAVL Merkle proof verification process within the core blockchain framework (Cosmos SDK). The bridge was temporarily halted to contain the impact and prevent further movement of funds.
## Incident Details
- **Discovery Date:** October 6, 2022
- **Incident Date:** October 6, 2022
- **Affected Organization:** Binance / Binance Smart Chain (BSC)
- **Sector:** Financial Technology / Cryptocurrency
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** October 6, 2022
- **Vector:** Forged Merkle Proofs
- **Details:** The attacker submitted two transactions to the BSC Token Hub. Each transaction successfully claimed 1,000,000 BNB by providing cryptographic proofs that appeared valid to the bridge’s automated verification logic.
### Lateral Movement
- **Details:** After receiving the BNB on the Binance Smart Chain, the attacker moved a large portion of the funds into the Venus Protocol (a decentralized lending platform) to use the minted BNB as collateral to borrow other stablecoins and assets, effectively "cashing out" without selling the BNB directly.
### Data Exfiltration/Impact
- **Impact:** Total unauthorized creation of 2,000,000 BNB. Approximately $566 million USD in value was moved out of the bridge.
### Detection & Response
- **Discovery:** On-chain monitoring and security researchers (including samczsun) noticed anomalous high-value transactions and a discrepancy in the withdrawal proof lengths.
- **Response Actions:** Binance coordinated with validators to pause the entire Binance Smart Chain network, halting all transactions to prevent the attacker from moving the remaining funds to other chains.
## Attack Methodology
- **Initial Access:** Logic exploitation of the `iavl:v` and `multistore` verification operations.
- **Persistence:** Not applicable; the attack was an automated exploitation of a smart contract function.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Use of "short" proofs that leveraged a hash-validation bypass to trick the system into accepting illegitimate state changes.
- **Discovery:** The attacker performed reconnaissance on the IAVL tree implementation, identifying that the `COMPUTEHASH` function failed to validate right-side nodes if a left-side node was present.
- **Impact:** Unauthorized minting (inflation) of cryptocurrency assets.
## Impact Assessment
- **Financial:** ~ $566 million USD worth of BNB minted; actual realized loss was lower due to the rapid halting of the chain and freezing of assets.
- **Data Breach:** None (Cryptographic integrity breach rather than data theft).
- **Operational:** The BNB Smart Chain was completely offline for several hours, disrupting all decentralized applications (dApps) and users.
- **Reputational:** High-profile scrutiny of the security of cross-chain bridges and the Cosmos SDK framework.
## Indicators of Compromise
- **Network Indicators:** hxxps[://]bscscan[.]com/address/0x489A8756C1A79D8444F79175c8E418515e7828a2 (Attacker Address - Defanged)
- **Behavioral Indicators:** Unexpected withdrawal proofs with significantly shorter paths; repeat transaction heights that did not match current chain state expectations.
## Response Actions
- **Containment:** The BSC network was halted via coordinated validator action.
- **Eradication:** A hard fork was implemented to revoke the attacker’s funds and patch the vulnerability in the IAVL verification logic.
- **Recovery:** The chain was restarted with updated node software that prevented the specific proof forgery.
## Lessons Learned
- **Key Takeaways:** Even core library functions (like those in the Cosmos SDK) can contain "optimization" bugs that result in catastrophic security failures.
- **What could have been done better:** Earlier detection of the specific IAVL tree vulnerability through more rigorous formal verification or audits of the bridge's cryptographic primitives.
## Recommendations
- **Prevention:** Implement multi-party computation (MPC) or additional layers of governance for large-value bridge withdrawals.
- **Testing:** Perform extensive dynamic testing and "fuzzing" on Merkle tree implementations, specifically testing edge cases in tree depth and node validation.
- **Monitoring:** Set up automated "circuit breakers" that trigger a chain halt if a single transaction exceeds a certain percentage of total liquidity.