Jump Crypto unveils critical vulnerability on Binance’s BNB Chain

Published at: Feb. 11, 2023

Web3 infrastructure firm Jump Crypto has discovered a vulnerability in the Binance BNB Beacon Chain, which would allow the mint of an unlimited amount of arbitrary tokens. The issue was privately disclosed to the BNB team, enabling a patch to be developed and deployed within 24 hours.

In a blog post from Feb. 10, Jump Crypto disclosed a detailed report about the vulnerability found two days earlier, which could "have led to a large loss of funds."

As per the report, the BNB Chain is composed of two blockchains - the EVM compatible Smart Chain (BSC), which is based on a fork of go-ethereum and the Beacon Chain, built on top of Tendermint and Cosmos SDK.

However, the Beacon Chain uses a BNB fork hosted on GitHub with several BNB-specific changes. "It deviates from the Cosmos SDK upstream in several ways, motivating us to take extra care in reviewing the differences," notes Jump Crypto, which recently started a broad research effort dedicated to discovering and patching vulnerabilities across projects via coordinated disclosure.

The vulnerability would allow an attacker to mint an almost unlimited amount of BNB tokens via a malicious transfer, meaning that destination accounts would receive a much larger number of BNB tokens than the sender initially provided. Jump Crypto noted:

"Bugs that allow infinite minting of native assets are some of the most critical vulnerabilities in web3. As such, this finding is proof that we all must stay vigilant and collaborate to elevate security assurances across all projects."

The BNB team fixed the issue by switching to overflow resistant arithmetic methods for the sdk.Coin type. The patch will result in a golang panic and a transaction failure if the Coin calculation overflows.

The BNB Chain is the native blockchain behind crypto exchange Binance. The company CEO, Changpeng Zhao, thanked Jump Crypto's team for reporting the bug on Twitter:

Many thanks to @jump_ for reporting this bug. They got a great security team. Really appreciate it. https://t.co/bqidp5X3Y2

— CZ Binance (@cz_binance) February 10, 2023

In October 2022, the BNB Chain was briefly suspended after a cross-chain exploit compromised nearly $80 million worth of cryptocurrency. The genesis of the breach took place on the BSC Token Hub, eventually resulting in the creation of an “extra BNB,” shows an official post on Reddit. 

Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
DeFi attacks are on the rise — Will the industry be able to stem the tide?
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control. According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols. These figures highlight a dire situation that is likely to persist over the long term if ignored. Why hackers prefer DeFi platforms In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to …
Adoption / May 14, 2022
Crypto app targeting SharkBot malware resurfaces on Google app store
A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements. A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog. We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! …
Blockchain / Sept. 5, 2022
5 sneaky tricks crypto phishing scammers used last year: SlowMist
Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and trojan malware spread on messaging app Discord. It comes after the security firm recorded a total of 303 blockchain security incidents in the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to a Jan. 9 SlowMist blockchain security report. Malicious browser bookmarks One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers. SlowMist said scammers have been exploiting these to ultimately gain …
Blockchain / Jan. 10, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023