Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • TRADING
  • SUBMIT
Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • TRADING
  • SUBMIT
Crypto Flexs
Home»ETHEREUM NEWS»CVE-2025-30147- BESU
ETHEREUM NEWS

CVE-2025-30147- BESU

By Crypto FlexsMay 8, 20258 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
CVE-2025-30147- BESU
Share
Facebook Twitter LinkedIn Pinterest Email

Thank you for Marius van der Wijden for creating test examples and Statestest and helping the BESU team check the problem. BESU team, EF security team and Kudos of Kevaundray Wedderburn. I also corrected Justin Traglia, Marius Van der Wijden, Benedikt Wagner and Kevaundray Wedderburn. If you have any other questions/comments, find me on Twitter. @asanso

Tl; doctor: BESU Ether Lee Run Client Version 25.2.2 is A Agreement related EIP-196/EIP-197 Preliminary compilation of contract processing for elliptical curves alt_bn128 (Aka BN254). This problem has been modified in the release. 25.3.0.
here Full CVE report.

NbSome of this post requires knowledge of elliptical curves (encryption).

introduction

that Bn254 Curve (also known alt_bn128) Is an elliptical curve used in Etherrium for encryption. It is important for various Etherum functions because it supports tasks such as elliptical curve encryption. ahead EIP-2537 And recent PECTRA release, Bn254 It was the only pairing curve supported by EVM (Ethereum Virtual Machine). EIP-196 and EIP-197 Define a preliminary compiled contract for efficient calculations on this curve. For more information Bn254You can read here.

Significant security vulnerabilities of elliptical curve encryption are as follows. False curveIt was introduced in the paper for the first time “Differential defect attack on elliptical curve krypto systems”. This attack causes potential security issues in encryption protocols using points that are not in the correct elliptical curve. Non -prime order curve (pairing -based encryption and G2G_2G2​ For Bn254), Especially the point is important It is in the correct sub group. If the point does not belong to the correct sub group, it can operate the encryption operation, which can damage the security of the system that depends on the elliptical curve encryption.

To check the point blood Since it is valid in elliptical curve encryption, it is necessary to confirm that the point is in the curve and belongs to the correct sub group. This is especially important when there is a point blood Not valid or specially made points can lead to security vulnerabilities, so it comes from unbelievable or potentially malicious sources. Below is a doctor code that shows this process.

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_on_curve(P):    
        return False
    if not is_in_subgroup(P):
        return False
    return True

Sub group membership check

As mentioned above, it is important to make sure that when working to all points of unknown origin, it is also found to belong to the right sub -group in addition to confirming that the point is in the correct curve. For Bn254This is only necessary G2G_2G2​because G1G_1G1​ The main order. A simple way to test member qualifications GGG It is to multiply the point RRRwhere RRR no see Assistant factor This is the ratio between the order of the curve and the order of the basic point.

But this method can actually cost a lot of prime size. RRRespecially G2G_2G2​. 2021, Scott suggested A faster method for testing sub -group membership tests in the BLS12 curve that can be easily calculated UterusIn other groups, the process is made 2 ×, 4 × and 4 × faster (This technology is a designated technology EIP-2537 In the case of fast sub -group inspection, as described in detail, This document). Dai et al. Scott’s generalized technology To work for a wider range of curves, including the BN curve, reduce the number of tasks you need for the lower group membership check. In some cases, the process can be almost free. Koshelev also introduced a method for non -brother -friendly curves. Tate pairingEventually it got better It has been generalized with a pairing -friendly curve.

Real slim shade

As you can see from the timeline at the end of this post, we have received a report on the influenced bug. PECTRA EIP-2537 In BESU PECTRA audit competition. If we originally want to deal with the reporter in more detail, it is lightly dealing with the problem. This post focuses on BN254, especially EIP-196/EIP-197 Vulnerability.

The original reporter observed it in BESU Is_in_subgroup It was performed before the inspection was performed. Is_on_curve check. The following is an example of how it will look.

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        if not is_on_curve(P):
            return False  
        return False
    return True

As we were interested in the above problem in the BLS curve, we decided to look at the BESU code for the BN curve. Surprisingly, we found something so:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        return False
    return True

Wait, what? where Is_on_curve check? accurately-There is no one !!!

Now I potentially bypass is_valid_point Function, what you need to do is provide a point It’s in the right sub group, but it’s not actually in the curve..

But wait -is that possible?

Well, yes. But it is especially true for well -chosen curves. Specifically, if there are two curves FadThey share the same group structure, so you can create a point in the altitude curve that passes the lower group inspection but does not put it on the intended curve.

stealthily?

Did you say isomorpshism?

If you are not interested in the details, skip this section. We are going to go a little deeper into mathematics.

Permit Fcue\ mathbb f _qFcue​ Be a finite field with different characteristics from 2 and 3. cue=bloodFQ = p^fcue=bloodF Some prime blood≥5p \ geq 5blood≥5 And integer F≥1f \ geq 1F≥1. We consider elliptical curves EEE ~ Above Fcue\ mathbb f _qFcue​ It is given by a short Weierstraß equation:

why2=X3+no wayX+rainy^2 = x^3 + AX ​​+ B why2=X3+no wayX+rain

where no wayno wayno way and rainrainrain The constant is satisfactory 4no way3+27rain2≠04A^3 + 27B^2 \ Neq 04no way3+27rain2=0.^(This condition guarantees a curve Bi -Single; If it is a violation, the equation is impossible to define a single point without a well -defined tangent to perform a meaningful self -object. In such cases, the object is not technically an elliptical curve.)

Curve

Two elliptical curves are considered Fad^(We really want to exploit the vulnerabilities described here Fad Just curve Ramp Curve.) If it can be associated with the changes in the variable. This conversion preserves the group structure and maintains consistency. You can see that the only transformation between the two curves of the short Weierstraß takes shape.

(X,,,why))↦(E2X,,,E3why))(X, Y) \ MAPSTO (E^2 x, e^3 Y)(X,,,why))↦(E2X,,,E3why))

If it is not 0 E∈FcueE \ in \ mathbb f _qE∈Fcue​. If you apply this conversion to the curved equation, you will see the following results:

why2=X3+no wayE4X+rainE6y^2 = x^3 + AE^4 x + be^6why2=X3+no wayE4X+rainE6

that J.J.J.-Absurer The curve is defined as follows:

J.=17284no way34no way3+27rain2J = 1728 \ frac 4A^3 4A^3 + 27B^2J.=17284no way3+27rain24no way3​

All elements Fcue\ mathbb f _qFcue​ Can be possible J.J.J.-Invariant. Really special.) When two elliptical curves share the same J.J.J.-The variable, they are one of the two Fad (In the sense described above) or those twist ^(We omit the discussion of distortion here because we are not related to this case.)

Exploitation

What remains at this point is to create a place that is suitable for the carefully selected curves and Voulà.The game is completed.

You can try the test vector This link And enjoy riding.

conclusion

In this post, we searched for vulnerabilities in BESU’s elliptical curve test. This defect can create a point that an attacker passes through the lower group membership check, but does not put it on a real curve. The BESU team has since solved this problem at release 25.3.0. This problem has beenolated as BESU and has not affected other customers, but this inconsistency raises important concerns about multiple client ecosystems such as Ether Leeum. Inconsistent with encryption inspections between clients can lead to various behaviors depending on the case of accepting or blocking a transaction that another customer refuses. This kind of inconsistency is in jeopardy of consensus, especially when subtle bugs are not noticeable throughout the implementation, which can be undermined. This event emphasizes reasons for strict tests and powerful security practices. In particular, even minor cryptocurrency mistakes in the blockchain system can be ruptured into a major systematic vulnerability. Initiatives, such as the PECTRA Audit Competition, play an important role in expressing these problems in advance before this problem reaches production. By encouraging various eyes to investigate the code, such efforts strengthen the overall elasticity of the ecosystem.

Timeline

  • 15-03-2025-BESU’s PECTRA EIP-2537 PECTRA audit competition.
  • 17-03-2025-EIP-196/EIP-197 I found and reported on the BESU team.
  • 17-03-2025-Marius van der Wijden created a test case.
  • 17-03-2025-BESU team quickly admitted determined problem.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Class action lawsuit claims Microsoft choked AI supply to drive up ChatGPT costs

October 14, 2025

‘OG’ Whale Attracts Over $400 Million in Bearish BTC Bet

October 10, 2025

BitDigital becomes the first public Etherrium for distributing unsecured leverage -details -Details

October 6, 2025
Add A Comment

Comments are closed.

Recent Posts

How to Use Google Gemini to Analyze Crypto Coins Before Investing

October 14, 2025

Class action lawsuit claims Microsoft choked AI supply to drive up ChatGPT costs

October 14, 2025

CME Group Launches CFTC Regulated Solana and XRP Options

October 13, 2025

Eightco Holdings Inc. ($ORBS) Makes Strategic Investment Into Mythical Games To Accelerate Human Verification And Digital Identity In Gaming

October 13, 2025

Jiuzi Holdings, Inc. (JZXN) Secures 100 Bitcoin Via Private Placement, Signaling New Phase In Crypto Treasury Deployment

October 13, 2025

Collaboration Across Bybit, DigiFT And UBS UMINT Expands Collateral Solution For Institutions

October 13, 2025

BitMine Immersion (BMNR) Announces ETH Holdings Exceeding 3.03 Million Tokens And Total Crypto And Cash Holdings Of $12.9 Billion

October 13, 2025

Phemex Announces Halloween Futures Trading Festival With 200,000 USDT Prize Pool

October 13, 2025

ViaBTC Unveils Enhanced Collateralized Loan Service For Global Miners

October 13, 2025

Tapbit secures strong presence at TOKEN2049 in Singapore

October 13, 2025

Tapbit Delivers A Strong Presence At TOKEN2049 Singapore

October 13, 2025

Crypto Flexs is a Professional Cryptocurrency News Platform. Here we will provide you only interesting content, which you will like very much. We’re dedicated to providing you the best of Cryptocurrency. We hope you enjoy our Cryptocurrency News as much as we enjoy offering them to you.

Contact Us : Partner(@)Cryptoflexs.com

Top Insights

How to Use Google Gemini to Analyze Crypto Coins Before Investing

October 14, 2025

Class action lawsuit claims Microsoft choked AI supply to drive up ChatGPT costs

October 14, 2025

CME Group Launches CFTC Regulated Solana and XRP Options

October 13, 2025
Most Popular

Binance Listing 2024 and VC: What Went Wrong?

August 8, 2024

Top Cryptocurrency Regulatory Developments in 2024: A Comprehensive Overview

March 14, 2024

Outperforms other MEME coins in market surge

May 15, 2024
  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 Crypto Flexs

Type above and press Enter to search. Press Esc to cancel.