Cosmos Co-founder: Hackers forged Merkle proofs through RangeProof in the BNB Chain attack incident

Chain Catcher news, Cosmos co-founder Ethan Buchman commented on the attack incident of the BNB Chain cross-chain bridge BSC Token Hub, stating that the key issue in this incident is that the hacker was able to forge the Merkle proof. This should not have happened, as Merkle proofs are supposed to provide high integrity. Blockchain light clients (and IBC) are built on top of Merkle proofs, and many blockchains store data in Merkle trees, allowing for the generation of proofs that certain data is included in the tree.

The Cosmos chain uses a Merkle tree called IAVL, and the IAVL repository has made an API available that uses a RangeProof. However, it has been found that there are serious flaws in the internal workings of RangeProof. The issue with the IAVL RangeProof code is that it allows the Left and Right fields of the InnerNode to be filled, and the attacker essentially exploited the advantage of pasting information into the Right field, which was never validated and never affected the hash calculation, leading the verifier to believe that certain leaf nodes are part of the tree. As a result, they successfully forged the Merkle proof.

Buchman stated that while using RangeProof is not a good idea, there is a way to address this issue: preemptively rejecting the proof when any internal node has both the left and right fields filled. For the Merkle proof in IBC, IBC does not use the built-in RangeProof system of the IAVL tree, but instead uses the ICS23 standard to generate and validate Merkle proofs from the IAVL tree. The ICS23 code does not have this vulnerability, as it explicitly "rejects" RangeProof. (Source link)