Thank you for Marius van der Wijden for creating test examples and Statestest and helping the BESU team check the problem. BESU team, EF security team and Kudos of Kevaundray Wedderburn. I also corrected Justin Traglia, Marius Van der Wijden, Benedikt Wagner and Kevaundray Wedderburn. If you have any other questions/comments, find me on Twitter. @asanso
Tl; doctor: BESU Ether Lee Run Client Version 25.2.2 is A Agreement related EIP-196/EIP-197 Preliminary compilation of contract processing for elliptical curves alt_bn128 (Aka BN254). This problem has been modified in the release. 25.3.0.
here Full CVE report.
NbSome of this post requires knowledge of elliptical curves (encryption).
introduction
that Bn254 Curve (also known alt_bn128) Is an elliptical curve used in Etherrium for encryption. It is important for various Etherum functions because it supports tasks such as elliptical curve encryption. ahead EIP-2537 And recent PECTRA release, Bn254 It was the only pairing curve supported by EVM (Ethereum Virtual Machine). EIP-196 and EIP-197 Define a preliminary compiled contract for efficient calculations on this curve. For more information Bn254You can read here.
Significant security vulnerabilities of elliptical curve encryption are as follows. False curveIt was introduced in the paper for the first time “Differential defect attack on elliptical curve krypto systems”. This attack causes potential security issues in encryption protocols using points that are not in the correct elliptical curve. Non -prime order curve (pairing -based encryption and For Bn254), Especially the point is important It is in the correct sub group. If the point does not belong to the correct sub group, it can operate the encryption operation, which can damage the security of the system that depends on the elliptical curve encryption.
To check the point blood Since it is valid in elliptical curve encryption, it is necessary to confirm that the point is in the curve and belongs to the correct sub group. This is especially important when there is a point blood Not valid or specially made points can lead to security vulnerabilities, so it comes from unbelievable or potentially malicious sources. Below is a doctor code that shows this process.
# Pseudocode for checking if point P is valid def is_valid_point(P): if not is_on_curve(P): return False if not is_in_subgroup(P): return False return True
Sub group membership check
As mentioned above, it is important to make sure that when working to all points of unknown origin, it is also found to belong to the right sub -group in addition to confirming that the point is in the correct curve. For Bn254This is only necessary because The main order. A simple way to test member qualifications It is to multiply the point where no see Assistant factor This is the ratio between the order of the curve and the order of the basic point.
But this method can actually cost a lot of prime size. especially . 2021, Scott suggested A faster method for testing sub -group membership tests in the BLS12 curve that can be easily calculated UterusIn other groups, the process is made 2 ×, 4 × and 4 × faster (This technology is a designated technology EIP-2537 In the case of fast sub -group inspection, as described in detail, This document). Dai et al. Scott’s generalized technology To work for a wider range of curves, including the BN curve, reduce the number of tasks you need for the lower group membership check. In some cases, the process can be almost free. Koshelev also introduced a method for non -brother -friendly curves. Tate pairingEventually it got better It has been generalized with a pairing -friendly curve.
Real slim shade
As you can see from the timeline at the end of this post, we have received a report on the influenced bug. PECTRA EIP-2537 In BESU PECTRA audit competition. If we originally want to deal with the reporter in more detail, it is lightly dealing with the problem. This post focuses on BN254, especially EIP-196/EIP-197 Vulnerability.
The original reporter observed it in BESU Is_in_subgroup It was performed before the inspection was performed. Is_on_curve check. The following is an example of how it will look.
# Pseudocode for checking if point P is valid def is_valid_point(P): if not is_in_subgroup(P): if not is_on_curve(P): return False return False return True
As we were interested in the above problem in the BLS curve, we decided to look at the BESU code for the BN curve. Surprisingly, we found something so:
# Pseudocode for checking if point P is valid def is_valid_point(P): if not is_in_subgroup(P): return False return True
Wait, what? where Is_on_curve check? accurately-There is no one !!!
Now I potentially bypass is_valid_point Function, what you need to do is provide a point It’s in the right sub group, but it’s not actually in the curve..
But wait -is that possible?
Well, yes. But it is especially true for well -chosen curves. Specifically, if there are two curves FadThey share the same group structure, so you can create a point in the altitude curve that passes the lower group inspection but does not put it on the intended curve.
stealthily?
Did you say isomorpshism?
If you are not interested in the details, skip this section. We are going to go a little deeper into mathematics.
Permit Be a finite field with different characteristics from 2 and 3. Some prime And integer . We consider elliptical curves ~ Above It is given by a short Weierstraß equation:
where and The constant is satisfactory .^(This condition guarantees a curve Bi -Single; If it is a violation, the equation is impossible to define a single point without a well -defined tangent to perform a meaningful self -object. In such cases, the object is not technically an elliptical curve.)
Curve
Two elliptical curves are considered Fad^(We really want to exploit the vulnerabilities described here Fad Just curve Ramp Curve.) If it can be associated with the changes in the variable. This conversion preserves the group structure and maintains consistency. You can see that the only transformation between the two curves of the short Weierstraß takes shape.
If it is not 0 . If you apply this conversion to the curved equation, you will see the following results:
that -Absurer The curve is defined as follows:
All elements Can be possible -Invariant. Really special.) When two elliptical curves share the same -The variable, they are one of the two Fad (In the sense described above) or those twist ^(We omit the discussion of distortion here because we are not related to this case.)
Exploitation
What remains at this point is to create a place that is suitable for the carefully selected curves and Voulà.The game is completed.
You can try the test vector This link And enjoy riding.
conclusion
In this post, we searched for vulnerabilities in BESU’s elliptical curve test. This defect can create a point that an attacker passes through the lower group membership check, but does not put it on a real curve. The BESU team has since solved this problem at release 25.3.0. This problem has beenolated as BESU and has not affected other customers, but this inconsistency raises important concerns about multiple client ecosystems such as Ether Leeum. Inconsistent with encryption inspections between clients can lead to various behaviors depending on the case of accepting or blocking a transaction that another customer refuses. This kind of inconsistency is in jeopardy of consensus, especially when subtle bugs are not noticeable throughout the implementation, which can be undermined. This event emphasizes reasons for strict tests and powerful security practices. In particular, even minor cryptocurrency mistakes in the blockchain system can be ruptured into a major systematic vulnerability. Initiatives, such as the PECTRA Audit Competition, play an important role in expressing these problems in advance before this problem reaches production. By encouraging various eyes to investigate the code, such efforts strengthen the overall elasticity of the ecosystem.
Timeline
- 15-03-2025-BESU’s PECTRA EIP-2537 PECTRA audit competition.
- 17-03-2025-EIP-196/EIP-197 I found and reported on the BESU team.
- 17-03-2025-Marius van der Wijden created a test case.
- 17-03-2025-BESU team quickly admitted determined problem.