BNB Bridge hack ELI5 explained and visualised

What makes this hack so special?

This hack was special for how it was handled and how the vulnerability was “fixed”. First of all, the Binance Smart Chain was halted. Secondly, the blacklist functionality was added to the BNB Chain implementation and attacker’s address was hardcoded. Last, but not least the precompiled contract used for Merkle proof verification was suspended so any contract that used it was DoSed (it has been restored 5 days later).

Initial analysis

Right after the hack, many researchers started to analyse the hack and were looking for the bug.

Sam’s PoC
Dedaub’s solution
Emiliano’s analysis

Merkle tree introduction

Let’s start with a problem. Imagine you have some data values and allow users to prove that they own a specific one. Of course, these values must remain secret until they are revealed by their owners.

Merkle tree

Merkle proofs

Now, when you understand the Merkle tree structure, let’s cover the process of proving that some specific value (kept in one of the leaves) is in fact part of the tree. The tree is represented only by the root hash, which means that we have to somehow start from the bottom of the tree and end up with the hash equal to the root.

Merkle proof
Merkle proof with different sides on the path
Path nodes with Left and Right attributes

Merkle proof of multiple nodes

Let’s complicate a bit more. Imagine that you want to prove the existence of multiple values (e.g. V1 and V2) in the tree, like in the example below.

Just do it

The root cause

The BNB Bridge allows you to verify multiple values (that execute some transfers when verified, by the way) in the same way as described above.

Fix

The general fix for that issue would be to make sure that the sides that are used for subsequent leaves verification are the same that are used for root hash verifications. In other words, if the Left side was used to calculate the root hash, the Right side cannot be used for subsequent leaves verification.

Lessons learned

The main take-away from this issue is that it is important to calculate the values consistently. In this example, both the root hash itself and the hash calculated during subsequent leaves verification should take into account both sides of the node.
Another lesson is to be careful when doing gas optimisation as it is an easy way to introduce a security bug.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Damian Rusinek

Damian Rusinek

Security Consultant @ Securing, PhD, Blockchain Security, Cryptography Protocols || Twitter: @drdr_zz