Full Report
The BNB Beacon Chain is the governance and staking layer of the BNB Chain. They use a fork of the Cosmos SDK with many modifications. One of the more sensitive parts is the coin type. In the original Cosmos SDK, it uses a safe bigInt wrapper instead of native types. However, in the fork, they use the int64 type for efficiency reasons. Because of this, integer overflows and underflows are possible when not checked. The message MsgSend is used for simple 1-to-1 token transfers with multiple outputs. To prevent theft, a loop is performed to ensure that the amount being sent is enough for what the user possesses. Verification is done to ensure that the inputs of the system match the outputs of the system. Using integer overflows, the verification above is trivial to bypass. In particular, we can send out way more tokens than we own by making the inputs and outputs match after the overflow. This results in the ability to create tokens out of thin, breaking the blockchains security. The solution was to patch their fork of the library to not allow overflows in the future. Overall, a fairly simple vulnerability in a popular project.
Analysis Summary
# Vulnerability: Integer Overflow in BNB Beacon Chain Token Transfer Leading to Infinite Token Minting
## CVE Details
- CVE ID: Not explicitly assigned in the provided text.
- CVSS Score: Not explicitly provided. (Given the impact, severity would be Critical/High)
- CWE: CWE-190: Integer Overflow or Wraparound
## Affected Systems
- Products: BNB Beacon Chain (Governance and Staking Layer of BNB Chain)
- Versions: Versions utilizing the custom, performance-optimized BNB fork of the Cosmos SDK which employs `int64` for token amounts without sufficient overflow checks. (Specific version ranges not provided)
- Configurations: Any configuration using the `MsgSend` handler for token transfers where input/output balancing relies on arithmetic operations over `int64` amounts.
## Vulnerability Description
The BNB Beacon Chain utilizes a fork of the Cosmos SDK where the `Coin` type uses the native Go `int64` for the `Amount` field, chosen for performance reasons over the upstream Cosmos SDK's safe `bigInt` wrapper. This choice makes the system susceptible to integer overflows and underflows.
The vulnerability resides specifically within the `MsgSend` handler, which verifies that total inputs match total outputs to prevent unauthorized token creation or destruction. By constructing a transaction where the sum of the output amounts overflows the maximum value of an `int64`, the resulting sum wraps around (underflows/overflows) to a small number, satisfying the input/output balance check despite a much larger total value being sent out than was owned by the sender. This allows an attacker to effectively "mint" an arbitrary, large number of tokens.
## Exploitation
- Status: Not exploited in the wild (Vulnerability responsibly disclosed and patched quickly).
- Complexity: Low (The provided example demonstrates a clear mechanism via crafted JSON inputs).
- Attack Vector: Network (Submission of a malicious transaction).
## Impact
- Confidentiality: No direct impact.
- Integrity: **Critical.** Allows unauthorized creation (minting) of native BNB tokens, breaking the monetary integrity of the chain.
- Availability: Potential for widespread instability or chain halt depending on subsequent code reaction to the manipulated state, though the primary impact is integrity loss.
## Remediation
### Patches
- The BNB team patched their fork of the Cosmos SDK library to prevent overflows in Coin calculations. After the fix, an overflow in Coin calculations now causes a Golang panic, resulting in transaction failure rather than proceeding with an incorrect balance.
### Workarounds
- No temporary workarounds were detailed, as the vendor deployed a fix in under 24 hours following disclosure.
## Detection
- **Indicators of Compromise:** Transactions where the sum of output token amounts significantly exceeds the known balance of the sender prior to the transaction, or where calculated input/output checks pass despite a clear imbalance in the underlying arithmetic due to wrap-around.
- **Detection Methods and Tools:** Static analysis tools capable of tracing arithmetic operations on fixed-size integers (`int64`) within the transaction processing logic, specifically targeting balance verification steps in the `MsgSend` handler.
## References
- Vendor Advisories: Jump Crypto Responsible Disclosure Communication (Implied)
- Relevant links - defanged:
- `hxxps://www-webflow.jumpcrypto.com/resource-category/blogs`
- The vulnerability description points to the BNB chain Cosmos SDK fork: `hxxps://github.com/bnb-chain/bnc-cosmos-sdk`