Knowledge

Cosmos Co-Founder Claims Hackers Forged Merkle Proof In BSC Cross-Chain Bridge Attack

In a recent share, Ethan Buchman, co-founder of Cosmos expressed his views on the BSC cross-chain bridge attack, saying that the crux of the incident is that hackers can forge Merkle proofs.

In a Twitter thread, Cosmos co-founder Ethan Buchman gave some thoughts on the $100 million BSC hack of Binance on Oct. Binance is the largest user of the Cosmos software.

According to Ethan Buchman, the crux of the hack was that hackers were able to forge Merkle evidence. Meanwhile, this is difficult because Merkle proofs are said to provide high integrity.

Blockchain (and IBC) lightweight clients are built on top of Merkle proofs, and many blockchains store data in Merkle trees so that proofs can be generated that some data is contained in the tree.

The Cosmos chain uses a Merkle tree called IAVL, and the IAVL repository reveals an API that uses “RangeProof”, but it turns out the inner workings of RangeProof are horribly wrong. The problem with IAVL RangeProof’s code is that it allows the Left and Right fields to be filled in the InnerNode, an attacker basically taking advantage of pasting information into the Right field.

This information is never verified and never affects the hash calculation, to make the Validator believe that certain leaf nodes are part of the tree. So they successfully forged the Merkle proof.

Buchman says that while using RangeProof is not a good idea, there might be a way to get around this by pre-rejecting proofs when any internal node fills both Left and Right fields .

For Merkle proofs in IBC, instead of using the built-in RangeProof system for IAVL trees, IBC uses the ICS23 standard to generate and validate Merkle proofs from IAVL trees and the ICS23 code doesn’t have this vulnerability, this explicitly “rejects” RangeProof.

Finally, the Cosmos co-founder introduces a new specification that has been developed according to more stringent processes set forth by the IBC standards. This specification is called ICS23.

It is a common standard for merkle proofs that support many types of merkle trees, including IAVL trees.

“ICS23 followed a more rigorous design process intended to minimize surface area while still being general purpose – a difficult task! As part of this, it explicitly *rejected* range proofs. There are no range proofs in ICS23”

He said

In 2022, the problem of bridge hacking is quite common and complicated with great damage. On February 3, 2022, the Solana-based Wormhole cross-chain protocol was hacked, causing damage of more than $321 million. On March 29, 2022 Axie Infinity’s Ronin Bridge cross-chain bridge with the total damage caused by the attack was over $600 million. On June 24, 2022, Harmony announced an attack on Horizon Bridge with an estimated cost of $100 million. Or recently on May 2 more than 600 million were hacked on Nomad Bridge.

The amount of money for hacking on BSC is not much compared to the chain, but this is also a warning and many lessons need to be learned to increase the security of cross chains.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Website: coincu.com

Foxy

CoinCu News

Victor

Recent Posts

The New Lead of Presidential Crypto Council Appointed by Trump Is Bo Hines

President-elect Donald Trump named Bo Hines as the executive director of the presidential crypto council.

2 minutes ago

Best New Meme Coins with 1000X Potential: BTFD Coin’s Hot BIG50 Discount As Baby Doge Coin, Dogs Takes Gaming to the Next Level

Explore the best new meme coins with 1000X potential. Learn how BTFD Coin leads with…

1 hour ago

BlockDAG Surges Past $170M as BDAG250 Bonus End Countdown Begins – Aave Targets $400 & Solana Shines with Scalability

BlockDAG crosses $170.5M in presale success with BDAG250 bonus and Whitepaper V3 launch! Solana grows…

3 hours ago

Qubetics Presale Price Surge Approaches: The Best Coins to Invest in Right Now While Toncoin, and XRP Gain Traction

Discover why Qubetics, Toncoin, and XRP are the best coins to invest in right now.…

3 hours ago

Book of Meme Old News? This Best Meme Coin to Invest in 2024 Is Multiplying Gains Like a Champ

Over the years, meme coins have evolved from inside jokes into serious investment opportunities.

4 hours ago

Time’s Ticking on BlockDAG’s 5-Tier Bonus- Few Days Left to Grab It While Cardano Whales Take Action, Aave Rallies Strong

Discover BlockDAG's five-tier bonus program's closing phases that enhance buyer holdings. Gain insights on the…

5 hours ago

This website uses cookies.