Jump Crypto unveils critical vulnerability on Binance’s BNB Chain
2 min read
Web3 infrastructure firm, Jump Crypto, has uncovered a significant vulnerability in the Binance BNB Beacon Chain that could have enabled the creation of an unlimited amount of arbitrary tokens. The issue was quickly brought to the attention of the Binance team, and a patch was developed and implemented within 24 hours.
In a recent blog post dated February 10th, Jump Crypto provided a comprehensive report on the vulnerability that was discovered two days prior. The report emphasized the potential for substantial financial loss if the vulnerability had gone unnoticed.
The Binance BNB Beacon Chain consists of two blockchains: the EVM compatible Smart Chain (BSC), which is based on a fork of go-ethereum, and the Beacon Chain, which is built using Tendermint and the Cosmos SDK.
The Beacon Chain makes use of a customized version of BNB hosted on GitHub that includes specific changes unique to BNB. Jump Crypto, as part of its ongoing research effort aimed at identifying and resolving vulnerabilities through coordinated disclosure, took extra care in reviewing these differences.
The vulnerability would have allowed an attacker to create an almost unlimited amount of BNB tokens through a malicious transfer, resulting in the recipient receiving a larger number of tokens than intended. Jump Crypto emphasized the importance of regularly reviewing blockchain systems to prevent such vulnerabilities.
“Bugs that allow infinite minting of native assets are some of the most critical vulnerabilities in web3. As such, this finding is proof that we all must stay vigilant and collaborate to elevate security assurances across all projects.”
The Binance team successfully resolved an issue by adopting overflow-resistant arithmetic methods for the BNB Coin within the SDK. This implementation will trigger a panic in Golang and result in a transaction failure in the event of an arithmetic overflow.
Changpeng Zhao, CEO of Binance, expressed his gratitude to the team at Jump Crypto for their diligence in reporting the bug on Twitter:
Many thanks to @jump_ for reporting this bug. They got a great security team. Really appreciate it. https://t.co/bqidp5X3Y2
— CZ Binance (@cz_binance) February 10, 2023
In October 2022, the Binance blockchain experienced a temporary suspension following a cross-chain exploit that affected approximately $80 million worth of cryptocurrency. The root cause of the breach was traced back to the BSC Token Hub, leading to the generation of an “extra BNB,” as stated in an official post on Reddit.
