Full Report
Elliptic Curve Cryptography is the basis of most signature verification, hence identity, in modern blockchains. Prior to the recent Pectra release, only the bn254 elliptic curve was allowed. There are some precompiles for curve pairing checks and multiplication/division that were defined in previous releases for efficient gas-wise computations. Invalid curve attacks are a known issue surrounding ECDSA systems. For non-prime order curves, it's important that they're in the proper subgroup. If it's not in the correct subgroup then cryptographic operations can be manipulated/compromised. To check if a point is valid, there are two things to check: it must be on the curve and belong to a subgroup. If P is untrusted, then these verification's are crucial. In the Besu implementation of the EVM, is_valid_point was not checking if the point was on the curve - it was only cehcking if it was in the subgroup. So, can you create a point that lies in the correct subgroup but off the curve? This requires choosing a very well-chosen curve. In particular an isomorphic curve. There are more details on the math but I don't really understand them :) Why does all of this matter though? In this case, the main issue was a consensus failure. Since the Besu implementation was the only one with this particular issue, it would have diverged from the other clients, potentially leading to a chain fork. Besides this, they imply that it has other security concerns but didn't say it specifically. To me, up time is not a huge concern compared to the benefit of multiple clients. If there's a loss of funds bug to be exploited in the EVM, it would have to appear in 66% of the clients; this is the benefit of client diversity. Good bug that was very specific to cryptography none-the-less.
Analysis Summary
# Vulnerability: Consensus Failure Due to Incomplete Elliptic Curve Point Validation in Besu
## CVE Details
- CVE ID: CVE-2025-30147
- CVSS Score: Not explicitly provided, but context suggests "High" severity due to consensus failure potential.
- CWE: CWE-326 (Inadequate Cryptographic Implementation) or related weakness specific to ECDSA validation.
## Affected Systems
- Products: Besu Ethereum execution client (Hyperledger Besu)
- Versions: Prior to 25.3.0 (specifically mentioned version 25.2.2)
- Configurations: EVM handling of EIP-196/EIP-197 precompiled contracts involving the `alt_bn128` (bn254) elliptic curve.
## Vulnerability Description
The vulnerability resided in the `is_valid_point` logic within the Besu implementation responsible for validating points used in elliptic curve operations related to the bn254 curve precompiles (EIP-196/EIP-197). Standard elliptic curve point validation requires checking two conditions: that the point lies *on the curve* and that it belongs to the *correct subgroup*.
Besu's implementation was incorrectly only checking for subgroup membership, omitting the crucial check to ensure the point was mathematically situated on the specified elliptic curve. This allowed an attacker to construct a malicious point that satisfied the subgroup check but did not lie on the actual curve (by leveraging an isomorphic curve choice). Such invalid points could then be used to manipulate cryptographic operations.
The primary consequence highlighted was a **consensus failure**, as Besu nodes implementing the flawed check would process blocks/transactions differently than the majority of other clients that performed complete validation, leading to chain divergence (forking).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the condition for exploitation (crafting a point passing the check yet off-curve) was demonstrated/confirmed via test vectors.
- Complexity: Medium to High, as crafting a valid-looking but cryptographically invalid point (leveraging isomorphic curves) requires specific mathematical knowledge.
- Attack Vector: Network (via transaction submission).
## Impact
- Confidentiality: Potential impact if funds-loss bug related to EVM manipulation was present and triggered. Not explicitly quantified.
- Integrity: **High**. Caused consensus failures and client divergence, jeopardizing chain integrity if exploited widely enough to cause non-finality issues.
- Availability: High potential for Denial of Service via chain fork/split, disrupting service for Besu users.
## Remediation
### Patches
- Besu version **25.3.0** contains the fix, ensuring that both curve membership and subgroup membership are correctly verified for elliptic curve points introduced via precompiles.
### Workarounds
- No explicit workaround was detailed, as the direct fix was implemented swiftly. Temporary mitigation would involve ensuring that untrusted inputs into the bn254 precompiles were avoided, though this is difficult in a live EVM context.
## Detection
- Indicators of Compromise: Nodes reporting unexpected divergence or consensus disagreements related to transactions utilizing bn254 precompiles.
- Detection methods and tools: The issue was identified via a rigorous security audit/bug bounty competition testing cryptographic primitives. Standard client monitoring for consensus disagreement might highlight the resulting fork, but specialized cryptography tracing would be needed to detect the manipulation itself.
## References
- Vendor Advisories: Hyperledger Besu release notes for 25.3.0.
- Relevant Links:
- Full CVE Report: hXXps://nvd.nist.gov/vuln/detail/CVE-2025-30147
- Ethereum Foundation Blog Post: hXXps://blog.ethereum.org/2025/05/07/the-curious-case-of-subgroup-check-on-besu