BRC20 Pinning Attack

• URL: http://arxiv.org/abs/2410.11295v2
• Date: Sun, 20 Oct 2024 23:57:21 GMT
• Title: BRC20 Pinning Attack
• Authors: Minfeng Qi, Qin Wang, Zhipeng Wang, Lin Zhong, Tianqing Zhu, Shiping Chen, William Knottenbelt,
• Abstract summary: BRC20 tokens are a type of non-fungible asset on the Bitcoin network. We present the first in-depth analysis of the BRC20 transfer mechanism and identify a critical attack vector.
• Score: 9.2705406817139
• License:
• Abstract: BRC20 tokens are a type of non-fungible asset on the Bitcoin network. They allow users to embed customized content within Bitcoin satoshis. The related token frenzy has reached a market size of US$2,650b over the past year (2023Q3-2024Q3). However, this intuitive design has not undergone serious security scrutiny. We present the first in-depth analysis of the BRC20 transfer mechanism and identify a critical attack vector. A typical BRC20 transfer involves two bundled on-chain transactions with different fee levels: the first (i.e., Tx1) with a lower fee inscribes the transfer request, while the second (i.e., Tx2) with a higher fee finalizes the actual transfer. We find that an adversary can exploit this by sending a manipulated fee transaction (falling between the two fee levels), which allows Tx1 to be processed while Tx2 remains pinned in the mempool. This locks the BRC20 liquidity and disrupts normal transfers for users. We term this BRC20 pinning attack. Our attack exposes an inherent design flaw that can be applied to 90+% inscription-based tokens within the Bitcoin ecosystem. We also conducted the attack on Binance's ORDI hot wallet (the most prevalent BRC20 token and the most active wallet), resulting in a temporary suspension of ORDI withdrawals on Binance for 3.5 hours, which were shortly resumed after our communication.

Related papers

• The Writing is on the Wall: Analyzing the Boom of Inscriptions and its Impact on EVM-compatible Blockchains [8.744676168760394]
  We present a data-driven analysis of the transaction surge in late 2023 and early 2024, attributed to inscriptions. We show that, on certain days, inscriptions accounted nearly 90% on Arbitrum and ZKsync Era. We also show that ZKsync and Arbitrum saw lower median gas fees during these surges.
  arXiv  Detail & Related papers  (2024-05-24T07:21:53Z)
• Not All Prompts Are Secure: A Switchable Backdoor Attack Against Pre-trained Vision Transformers [51.0477382050976]
  An extra prompt token, called the switch token in this work, can turn the backdoor mode on, converting a benign model into a backdoored one. To attack a pre-trained model, our proposed attack, named SWARM, learns a trigger and prompt tokens including a switch token. Experiments on diverse visual recognition tasks confirm the success of our switchable backdoor attack, achieving 95%+ attack success rate.
  arXiv  Detail & Related papers  (2024-05-17T08:19:48Z)
• The Writing is on the Wall: Analyzing the Boom of Inscriptions and its Impact on Rollup Performance and Cost Efficiency [7.394726159860848]
  We study the first study during a heightened activity during the late 2023 transaction boom. We observe that minting inscription-based meme tokens on zkSync Era allows for trading at a fraction of the costs. Unlike L1 blockchains, ZK rollups may experience lower gas fees with increased transaction volume. The introduction of blobs - a form of temporary data storage - decreased the gas costs of rollups, but also raised a number of questions about the security of inscription-based tokens.
  arXiv  Detail & Related papers  (2024-04-17T09:08:42Z)
• R-Pool and Settlement Markets for Recoverable ERC-20R Tokens [14.112164089246571]
  ERC-20R supports asset recovery within a limited time window after an asset is transferred. When an honest recipient receives an ERC-20R asset, they must wait until the recovery windows elapses. We explore how to design a pool to exchange an unsettled ERC-20R asset for a base ERC-20 of the same asset.
  arXiv  Detail & Related papers  (2023-12-22T02:00:23Z)
• Bridging BRC-20 to Ethereum [3.2763090690491343]
  We design, implement, and evaluate a lightweight bridge to connect the Bitcoin and networks that were heterogeneously uncontactable before. Inspired by the recently introduced Bitcoin Request Comment (BRC-20) standard, we leverage the flexibility of Bitcoin inscriptions by embedding editable operations within each satoshi. A user can initialize his/her requests from the Bitcoin network, subsequently triggering corresponding actions on the network.
  arXiv  Detail & Related papers  (2023-10-16T04:58:17Z)
• BRC-20: Hope or Hype [2.3909240294391236]
  BRC-20 (short for Bitcoin Request for Comment 20) token mania was a key storyline in the middle of 2023. We pioneer the exploration of this concept, covering its intricate mechanisms, features, and state-of-the-art applications.
  arXiv  Detail & Related papers  (2023-08-31T02:59:52Z)
• Token Spammers, Rug Pulls, and SniperBots: An Analysis of the Ecosystem of Tokens in Ethereum and in the Binance Smart Chain (BNB) [50.888293380932616]
  We study the ecosystem of the tokens and liquidity pools. We find that about 60% of tokens are active for less than one day. We estimate that 1-day rug pulls generated $240 million in profits.
  arXiv  Detail & Related papers  (2022-06-16T14:20:19Z)
• Investigating Top-$k$ White-Box and Transferable Black-box Attack [75.13902066331356]
  We show that stronger attack actually transfers better for the general top-$k$ ASR indicated by the interest class rank (ICR) after attack. We propose a new normalized CE loss that guides the logit to be updated in the direction of implicitly maximizing its rank distance from the ground-truth class.
  arXiv  Detail & Related papers  (2022-03-30T15:02:27Z)
• The Doge of Wall Street: Analysis and Detection of Pump and Dump Cryptocurrency Manipulations [50.521292491613224]
  This paper performs an in-depth analysis of two market manipulations organized by communities over the Internet: The pump and dump and the crowd pump. The pump and dump scheme is a fraud as old as the stock market. Now, it got new vitality in the loosely regulated market of cryptocurrencies. We report on three case studies related to pump and dump groups.
  arXiv  Detail & Related papers  (2021-05-03T10:20:47Z)
• Quantum Multi-Solution Bernoulli Search with Applications to Bitcoin's Post-Quantum Security [67.06003361150228]
  A proof of work (PoW) is an important cryptographic construct enabling a party to convince others that they invested some effort in solving a computational task. In this work, we examine the hardness of finding such chain of PoWs against quantum strategies. We prove that the chain of PoWs problem reduces to a problem we call multi-solution Bernoulli search, for which we establish its quantum query complexity.
  arXiv  Detail & Related papers  (2020-12-30T18:03:56Z)
• Pump and Dumps in the Bitcoin Era: Real Time Detection of Cryptocurrency Market Manipulations [50.521292491613224]
  We perform an in-depth analysis of pump and dump schemes organized by communities over the Internet. We observe how these communities are organized and how they carry out the fraud. We introduce an approach to detect the fraud in real time that outperforms the current state of the art.
  arXiv  Detail & Related papers  (2020-05-04T21:36:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.