https://medium.com/@numencyberlabs/bsc-chain-cross-chain-bridge-hacking-analysis-24338f9a80
Brief Description Of The Attack
The hacker (address: 0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec) exploited a vulnerability in the IAVL TREE, the base library code of the cross-chain bridge message validation mechanism, to forge a malicious withdrawal message, which led the cross-chain bridge to send two separate transactions to the hacker, each worth 1 million BNBs, and totalling approximately $600M USD.
The timely response from CoinSec in curbing the attack allowed them to save most of the assets, and they only lost approximately $100M as a result. Nevertheless, this is still considered a significant amount in both the eyes of the public and BNBChain.
Transaction Address:
https://bscscan.com/tx/0xebf83628ba893d35b496121fb8201666b8e09f3cbadf0e269162baa72efe3b8b
Vulnerability Exploitation Methodology Analysis
The attack occurred on the BSC chain where Binance Bridge provides liquidity value to BSC. From our analysis , we determined that the key component behind the attack is the library of IAVL tree on BSC L1, which was originally implemented by COMOS and used by BSC Chain. This sort of exploit is known as a Cross-Chain Attack.
The IAVL tree is used to verify the legitimacy of messages sent to the Binance Cross-chain bridge.
Typically, the IAVL tree automatically rejects messages forged by hackers. However, the attacker this time discovered a vulnerability in the IAVL verification process, allowing him to trick the IAVL tree into accepting arbitraru messages. This allowed to hacker to extract 2M BNB from the cross-chain bridge through carefully constructing and faking the message.
The IAVL tree, as its name implies, is a self-balancing binary search tree that was named after its inventors, Georgy Adelson-Velsky and Evgenii Landis. The purpose of its data structure was to provide persistent storage for key-value pairs, such a storing account balances) so that the deterministic Merkle root hashes can be computer.
The hacker called the handlePackage function in the BSC cross-chain bridge contract and subsequently called the pre-compiled contract to verify the legitimacy of MerkleProof.
What is pre-compilation?
Pre-compilation plays sort of a similar role as syscall in the operating system . When operating system accepts the syscall number (the number is similar to 0x65), it will execute the corresponding system call. Normally, the contract address is generated when the contract is deployed, then directly written dead 0x65 . When BSC L1 found this address, it directly goes to call the MerkleProof process, that is, to call the IAVLTree.
Attack In a nutshell
By deploying the contract, the hacker called the handlePackage function of the BSC cross-chain bridge contract
(https://bscscan.com/address/0x0000000000000000000000000000000000002000#code#L1082)
to fake the proof data, which passed the IAVL tree checksum and thus made the cross-chain bridge transfer 2M BNB to the hacker.
Lastly,
Samczsun has made some speculation on the nature of this vulnerability, but it is unconfirmed if all the details are accurate. We are currently in the midst of analysing the attack as well, and we shall continue to release more information in the future when further details are revealed. We encourage you to stay tuned and follow us for a follow-up analysis on the attack.