Hacken boosts Binance proof of reserves security

On Feb 14, 2023, Hacken researchers ran tests and identified a bug in the Binance zkSNARK-based Proof of Reserves system.

Hacken published a complete report on the assessment, announced it on their Twitter, and immediately apprized the Binance team to resolve the issue.

Binance proof of reserves verification upgrade

Binance announced an upgrade on its proof-of-reserves verification to include zk-SNARKs. The upgrade was expected to boost the verification system’s transparency and security on Feb 10, 2023.

The zkSNARK-based Proof of Reserves system upgrade also included the addition of zero-knowledge proof protocols to Binance’s existing Merkle tree cryptography. The new features addressed the possibility of fake accounts and negative balances and preserved user safety and privacy during transactions.

Previously, Binance relied on plain Merkle tree cryptography for system safety and transparency.

Various blockchains adopted the Merkle-tree-based proof-of-reserves system to increase industry transparency after the fall of FTX. Binance also made the project open source to benefit the whole crypto industry and assure users feel SAFU.

Bug identification

The Hacken team went through all the 1157 dependencies on the project and found 42 vulnerabilities, with 16 exposed to public exploitation. 20 dependencies had a severe vulnerability, while 20 had medium severity.

Of the severe vulnerabilities, the team identified two significant shortcomings on the Merkle sum tree; negative balance and privacy.

The Binance developers immediately responded to the observation by generating zk-SNARK proofs. The proofs contained batches of 864 users, and each interlinked through a Poseidon hash.

The Hacken researchers also discovered that Binance’s Proof of Reserves had loopholes that could allow the generation of fake user debt undetectable by a third party and the possibility of creating fake debt.

The team of three security researchers and blockchain developers led by Luciano Ciattaglia checked the source code and discovered a bug in the system that allowed it to bypass totalUserDebt, totalUserEquity (api.AssertIsLessOrEqual) assertion.

The team created a counterfeit-proof by setting BasePrice at a very high value because the parameter was missing a CheckValueInRange validation, i.e., hackers can create fake proof without system detection. Contrariwise, the BasePrice is a public entity, and it’s easy to detect when it is compromised.

The BasePrice overflow bug means one could change the BasePrice without detection, which could lower exchange-proved liabilities.

Binance response

Hackens contacted Binance after discovering the bugs adhering to their dedication to ensuring transparency in exchanges. Binance developers responded immediately by fixing the bugs and announce on their official Twitter handle.

Hacken’s developers suggested that Binance add CheckValueInRange for BasePrice to prevent the overflow, which the Binance team reviewed and merged Hacken’s commit into Binance’s main branch. Binance fixed all the identified critical and medium severity loopholes.

However, Binance cannot verify any proof generated before the tests as valid, as the critical bugs allowed tampering with the total debt amount. Users cannot confirm that any proof before the test is not compromised due to the vulnerability.

The blockchain also acknowledged Hacken’s work as an outstanding example of community feedback power. Binance also provides a platform where users can report or give feedback on any of Binance’s products.