Full Report
The Threshold Network is a collection of various services that use threshold cryptography by relying on multiple secret keepers. One of these services is tBTC that bridges native assets. The mechanism used the Bitcoin merkle root is busted. The mechanism uses Simplified Payment Verification (SPV), which is a light client verification for Bitcoin. When SPV needs to verify a transaction, it only contains the merkle root and block hash for verification to verify that a given transaction is in the tree. This is similar to how IBC works. SPV doesn't include the amount of transactions. The hashed values are 32 bytes long and the transactions are 64 bytes long. To get parent of a transaction, we hash it. To generate a non-leaf node we concatenate the two hashes together then hash it. Because there is no tracking of the count and no delimiters between the data, it's possible to trick the system to think that a raw transaction is there when its actually not. This is done by adding an extra transaction below a node (which gets hashed) to the value we want. Within a transaction, the information is mostly random but many of them are controlled by the attacker. This would require a lot of grinding to do but is feasible. The developers knew about this exact issue and it's even in Linux documentation. However, the developers deemed it unexploitable because it's only doable with transactions that are 64 bytes in size, which most were not. The bug hunter realized that this was NOT the case though - coinbase transactions could be used. A malicious miner could create a 64 byte coinbase transaction that would be accepted by the network. To fix the issue, a length check was added and actual validation of the coinbase proof itself.
Analysis Summary
# Vulnerability: Threshold Network tBTC Transaction Malleability via SPV Proof Forgery
## CVE Details
- **CVE ID:** Not explicitly assigned (DeFi protocol vulnerability tracked via Immunefi)
- **CVSS Score:** Critical (Estimated 9.0+ based on potential for arbitrary bridge fund drainage)
- **CWE:** CWE-345: Insufficient Verification of Data Authenticity (Specifically related to Merkle Tree Malleability)
## Affected Systems
- **Products:** Threshold Network (tBTC)
- **Versions:** All versions prior to the August 2023 fix.
- **Configurations:** Systems utilizing Simplified Payment Verification (SPV) light client proofs to verify Bitcoin transactions without length validation of the leaf nodes.
## Vulnerability Description
The vulnerability stems from a fundamental design flaw in how Bitcoin Merkle trees interact with SPV verifiers. In a Merkle tree, leaf nodes (transactions) are 64 bytes or larger, and internal nodes (hashes) are 32 bytes concatenated into 64-byte chunks before being hashed again.
Because the SPV proof does not distinguish between a leaf node (a raw transaction) and an internal node (two concatenated hashes), an attacker can "trick" the verifier. By providing a 64-byte transaction that matches the concatenated hash of two legitimate lower-level nodes, the attacker can cause the verifier to interpret internal tree data as a valid transaction.
While previously dismissed as unexploitable because most Bitcoin transactions are larger than 64 bytes, the researcher demonstrated that **coinbase transactions** (created by miners) can be exactly 64 bytes, making this attack feasible via "grinding" (brute-forcing) transaction data until its hash matches the required internal node value.
## Exploitation
- **Status:** PoC available (Identified by whitehat "Kayaba")
- **Complexity:** High (Requires the attacker to be a malicious miner or partner with one, and perform significant computational grinding).
- **Attack Vector:** Network (Bitcoin/Ethereum Bridge)
## Impact
- **Confidentiality:** None
- **Integrity:** Critical (Allows for the inclusion of forged transactions into the bridge, potentially leading to unauthorized minting of tBTC or theft of collateral).
- **Availability:** Low
## Remediation
### Patches
- **Threshold Network Fix (August 2023):** The developers implement two primary checks:
1. **Length Validation:** Explicitly checking transaction sizes to ensure internal nodes cannot be misinterpreted as transactions.
2. **Coinbase Proof Validation:** Added specific validation for the coinbase transaction proof to prevent malicious 64-byte coinbase injection.
### Workarounds
- No documented workarounds; users must rely on the updated protocol smart contracts.
## Detection
- **Indicators of Compromise:** Presence of abnormally small (64-byte) coinbase transactions in Bitcoin blocks linked to tBTC minting events.
- **Detection Methods:** Monitoring the `SPV proof verifier` contracts for transactions that originate from internal Merkle nodes rather than authenticated leaf transactions.
## References
- [hXXps://medium[.]com/immunefi/threshold-transaction-malleability-bugfix-review-cf0d2aa5437e]
- [hXXps://github[.]com/torvalds/linux/blob/master/Documentation/security/siphash.rst] (Context on Merkle tree malleability in Linux docs)
- [hXXps://threshold[.]network/]