Ethereum

CVE-2025-30147- BESU

Thank you for Marius van der Wijden for creating test examples and Statestest and helping the BESU team check the problem. BESU team, EF security team and Kudos of Kevaundray Wedderburn. In addition, Yuxiang Qiu, Justin Traglia, Marius Van der Wijden, Benedik Wagner and Kevaundray Wedderburn have been corrected. If you have any other questions/comments, find me on Twitter. @asanso

Tl; doctor: BESU Ether Lee Run Client Version 25.2.2 is A Agreement related EIP-196/EIP-197 Preliminary compilation of contract processing for elliptical curves alt_bn128 (Aka BN254). This problem has been modified in the release. 25.3.0.
here Full CVE report.

NbSome of this post requires knowledge of elliptical curves (encryption).

introduction

that Bn254 Curve (also known alt_bn128) Is an elliptical curve used in Etherrium for encryption. It is important for various Etherum functions because it supports tasks such as elliptical curve encryption. ahead EIP-2537 And recent PECTRA release, Bn254 It was the only pairing curve supported by EVM (Ethereum Virtual Machine). EIP-196 and EIP-197 Define a preliminary compiled contract for efficient calculations on this curve. For more information Bn254You can read here.

Significant security vulnerabilities of elliptical curve encryption are as follows. False curveIt was introduced in the paper for the first time “Differential defect attack on elliptical curve krypto systems”. This attack causes potential security issues in encryption protocols using points that are not in the correct elliptical curve. Non -prime order curve (pairing -based encryption and G2G_2

To check the point blood Since it is valid in elliptical curve encryption, it is necessary to confirm that the point is in the curve and belongs to the correct sub group. This is especially important when there is a point blood Not valid or specially made points can lead to security vulnerabilities, so it comes from unbelievable or potentially malicious sources. Below is a doctor code that shows this process.

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_on_curve(P):    
        return False
    if not is_in_subgroup(P):
        return False
    return True

Sub group membership check

As mentioned above, it is important to make sure that when working to all points of unknown origin, it is also found to belong to the right sub -group in addition to confirming that the point is in the correct curve. For Bn254This is only necessary G2G_2

Real slim shade

As you can see from the timeline at the end of this post, we have received a report on the influenced bug. PECTRA EIP-2537 In BESU PECTRA audit competition. If we originally want to deal with the reporter in more detail, it is lightly dealing with the problem. This post focuses on BN254, especially EIP-196/EIP-197 Vulnerability.

The original reporter observed it in BESU Is_in_subgroup It was performed before the inspection was performed. Is_on_curve check. The following is an example of how it will look.

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        if not is_on_curve(P):
            return False  
        return False
    return True

As we were interested in the above problem in the BLS curve, we decided to look at the BESU code for the BN curve. Surprisingly, we found something so:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        return False
    return True

Wait, what? where Is_on_curve check? accurately-There is no one !!!

Now I potentially bypass is_valid_point Function, what you need to do is provide a point It’s in the right sub group, but it’s not actually in the curve..

But wait -is that possible?

Well, yes. But it is especially true for well -chosen curves. Specifically, if there are two curves FadThey share the same group structure, so you can create a point in the altitude curve that passes the lower group inspection but does not put it on the intended curve.

stealthily?

Did you say isomorpshism?

If you are not interested in the details, skip this section. We are going to go a little deeper into mathematics.

Permit Fcue\ mathbb f _q

why2=X3+no wayX+rainy^2 = x^3 + AX ​​+ B

where no wayno way and rainrain The constant is satisfactory 4no way3+27rain204A^3 + 27B^2 \ Neq 0

Curve

Two elliptical curves are considered Fad^(We really want to exploit the vulnerabilities described here Fad Just curve Ramp Curve.) If it can be associated with the changes in the variable. This conversion preserves the group structure and maintains consistency. You can see that the only transformation between the two curves of the short Weierstraß takes shape.

(X,,,why))(E2X,,,E3why))(X, Y) \ MAPSTO (E^2 x, e^3 Y)

If it is not 0 EFcueE \ in \ mathbb f _q

why2=X3+no wayE4X+rainE6y^2 = x^3 + AE^4 x + be^6

that J.J.-Absurer The curve is defined as follows:

J.=17284no way34no way3+27rain2J = 1728 \ frac 4A^3 4A^3 + 27B^2

All elements Fcue\ mathbb f _q

Exploitation

What remains at this point is to create a place that is suitable for the carefully selected curves and Voulà.The game is completed.

You can try the test vector This link And enjoy riding.

conclusion

In this post, we searched for vulnerabilities in BESU’s elliptical curve test. This defect can create a point that an attacker passes through the lower group membership check, but does not put it on a real curve. The BESU team has since solved this problem at release 25.3.0. This problem has beenolated as BESU and has not affected other customers, but this inconsistency raises important concerns about multiple client ecosystems such as Ether Leeum. Inconsistent with encryption inspections between clients can lead to various behaviors depending on the case of accepting or blocking a transaction that another customer refuses. This kind of inconsistency is in jeopardy of consensus, especially when subtle bugs are not noticeable throughout the implementation, which can be undermined. This event emphasizes reasons for strict tests and powerful security practices. In particular, even minor cryptocurrency mistakes in the blockchain system can be ruptured into a major systematic vulnerability. Initiatives, such as the PECTRA Audit Competition, play an important role in expressing these problems in advance before this problem reaches production. By encouraging various eyes to investigate the code, such efforts strengthen the overall elasticity of the ecosystem.

Timeline

  • 15-03-2025-BESU’s PECTRA EIP-2537 PECTRA audit competition.
  • 17-03-2025-EIP-196/EIP-197 I found and reported on the BESU team.
  • 17-03-2025-Marius van der Wijden created a test case.
  • 17-03-2025-BESU team quickly admitted determined problem.

Related Articles

Back to top button