Full Report
The Binance has a token hub bridge that allows interoperability between two chains. These two chains are the EVM compatible Binance Smart Chain (BSC) and the Binance Beacon Chain used for management purposes. The currency of these chains is BNB. Bridges do not work as you'd expect; it's more of a lockbox than anything else. Chain A has ownership of some tokens on Chain B. So, we look the Chain A tokens then unlock them for the specific user on Chain B. In the case of Binance, the logic for going to Chain B was busted. When Chain B does the verification from the Chain A blockchain in Solidity, it uses a type of binary tree that can be used for verification called a Merkle Tree. This tree allows for the verification of the existence of a transaction on the other chain. Any discrepancy will indicate that the data in the node has been tampered with. The BSC bridge uses a balanced binary tree called an AVL tree. The function handlePackage is made in order to add this information to chain B. It should be noted that this function is only callable by a relayer. In the land of Cosmos, the relayer is how IBC communicates that a transaction on Chain A has occurred that Chain B cares about. A relayer doesn't need to be 100% trusted. Because, at the end of the day, the merkle proof speaks for itself. The relayer for BNB will parse the events at the very end of a block and send this to chain B. To send it to chain B, there are 4 parameters: a source chain ID, destination chain ID, a channel ID and a sequence number. After this initial handshake, the relayer calls Chain B with the transaction data, the proof and the block height. This is how the data goes from a Chain A request to a Chain B request. The Merkle proof library in Solidity was a precompiled IAVL library written in Go that directly interacts with Cosmos via a special EVM hook specific to Binance. Within Go, the function computes the root hash and verifies that it matches the hash against the new data being provided. If this is true, then the transaction must be legitimate. The tree verification algorithm assumes that only one leaf node will exist. If there's a left node (if statement), then it allows verifies that. If there's a right (else statement) node, then it only verifies that. This becomes a problem when there are two leafs, which is 100% possible. With the logic of the program, we can provide a right node that will never be verified! To exploit this, the attacker took a legitimate transaction and modified the payload to add the right node. The node said that a transaction of 2 million BNB with each BNB worth $293 at the time, was sent to them. Once they had done this, they took the money out of the bridge and laundered it to some other places. This resulted in a $586 million dollar hack. In the aftermath of this, Binance forked the BSC blockchain to remove this. Additionally, USDT blocked the attackers address, preventing them from accessing a percentage of their stolen funds. To fix this, the proof errors out if there is more than one child. Overall, an interesting dive into the Cosmos and Binance eco-system.
Analysis Summary
# Incident Report: Binance Smart Chain (BSC) Token Hub Bridge Exploitation
## Executive Summary
On October 6, 2022, an attacker exploited a cryptographic vulnerability in the BSC Token Hub bridge’s Merkle proof verification logic. By manipulating the IAVL tree structure, the attacker forged a proof to authorize the unauthorized minting of 2 million BNB. The incident resulted in a loss of approximately $586 million, though a significant portion was contained through a proactive network halt and asset blacklisting.
## Incident Details
- **Discovery Date:** October 6, 2022
- **Incident Date:** October 6, 2022
- **Affected Organization:** Binance
- **Sector:** Financial Technology (Cryptocurrency/DeFi)
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** October 6, 2022
- **Vector:** Exploitation of the `iavlMerkleProofValidate` function.
- **Details:** The attacker registered as a relayer (requiring a 100 BNB deposit) to gain the authority to call the `handlePackage` function on the CrossChain smart contract.
### Lateral Movement
- **N/A:** The attack was a high-impact direct exploit of the bridge protocol. The attacker moved funds from the Binance Beacon Chain to the Binance Smart Chain by providing a forged Merkle proof that bypassed verification logic.
### Data Exfiltration/Impact
- **Financial Loss:** 2 million BNB ($586 million USD at the time) was illicitly minted and moved to the attacker's wallet.
- **Laundering:** The attacker used decentralized exchanges (DEXs) to swap BNB for various stablecoins (USDT, USDC) across multiple chains including Ethereum, Avalanche, Fantom, Polygon, Arbitrum, and Optimism.
### Detection & Response
- **Detection:** Rapid identification of anomalous large-scale minting and bridge withdrawals.
- **Response Actions:** Binance coordinated a temporary suspension of the entire BSC network and executed a hard fork to invalidate the attacker’s transactions. Tether (USDT) blacklisted the attacker's addresses.
## Attack Methodology
- **Initial Access:** Valid Relayer registration.
- **Persistence:** Not applicable; the attack was an atomic exploit of a logic flaw.
- **Defense Evasion:** The attacker modified the payload of a legitimate transaction to add a "right node" to the AVL tree that the verification logic failed to inspect.
- **Exfiltration:** Cross-chain bridging and swapping via liquidity pools to obscure the money trail.
- **Impact:** Manipulation of the `validateMerkleProof` function to authorize fraudulent transfers.
## Impact Assessment
- **Financial:** ~$586 million total stolen; over $400 million effectively "frozen" or recovered via the chain halt.
- **Data Breach:** None (Cryptographic integrity breach).
- **Operational:** Complete shutdown of the Binance Smart Chain for several hours; emergency hard fork required.
- **Reputational:** Significant scrutiny regarding the centralization of the BSC network (due to the ability to halt the chain) and the security of cross-chain bridges.
## Indicators of Compromise
- **Behavioral Indicators:** Unexpected 1,000,000 BNB minting events (twice) from the Token Hub contract.
- **Blacklisted Address:** `0x489A8756C1...` (specific address identified in BSC blacklist).
## Response Actions
- **Containment:** Total suspension of the BSC validator network to prevent further outbound movement of funds.
- **Eradication:** Implementation of a software fix in the Go-based IAVL library to properly validate multiple leaf nodes.
- **Recovery:** A hard fork was performed to restore the state and permanently block the attacker's access to the remaining stolen funds.
## Lessons Learned
- **Dependency Risk:** A vulnerability in a third-party library (Cosmos IAVL) can lead to catastrophic failure in the implementing protocol.
- **Logic Flaws in Cryptography:** Even if a Merkle proof is mathematically sound, the *implementation* of the verification (the if/else logic) can be a single point of failure.
- **Relayer Trust:** While relayers are meant to be permissionless/semi-trusted, they provide the necessary surface area to trigger internal contract logic.
## Recommendations
- **Rigid Input Validation:** Ensure tree verification algorithms explicitly fail if unexpected nodes (e.g., simultaneous left and right children in a single-leaf proof) are present.
- **Enhanced Monitoring:** Implement real-time alerts for high-value minting events that exceed historical thresholds.
- **Third-party Audits:** Conduct deep-dive audits of precompiled contracts and low-level Go libraries interacting with the EVM.