Auditing Sweat Wallet’s Growth Jar Contract: A Case Study
Hacken audited Sweat Wallet’s Growth Jar contract. Here’s the overview of the final audit score and key findings.
🇺🇦 Hacken stands with Ukraine!Learn more
On Feb 14, 2023, Hacken researchers identified a bug in the Binance zkSNARK-based Proof of Reserves system. We immediately notified the Binance team. Together, we quickly resolved the issue.
On Feb 10, 2023, Binance released an automated Proof of Reserves system based on zk-SNARKs. With this upgrade, Binance’s developers added zero-knowledge proof protocols to their existing Merkle tree cryptography, introduced shortly after the FTX collapse.
A Merkle sum tree alone had two major shortcomings: privacy and negative balances. Binance’s dev team addressed those problems by generating zk-SNARK proofs for batches of 864 users each. However, the first version of the zk-SNARK contained a vulnerability in Binance’s zk-SNARK code that could challenge the validity of solvency proofs.
Through independent research, Hacken discovered a glitch in Binance’s Proof of Reserves, allowing for the potential generation of fake user debt which could not be detected by a third party.
Our research team of L1 auditors Bartosz Barwikowski and Yarik Bratashchuk led by Luciano Ciattaglia checked the code and discovered a bug in the circuit that allowed it to bypass api.AssertIsLessOrEqual(totalUserDebt, totalUserEquity) assertion.
It was possible to create a fake proof by setting BasePrice to a very high value because of a missing CheckValueInRange validation for this parameter. On the one hand, BasePrice is public for everyone, so it would be easy to detect if it’s invalid or not. On the other hand, there was a way to create fake proof without anyone knowing.
Each proof is generated for batch of 864 users, then they’re linked with each other using the following poseidon hash:
There was a critical bug related to BasePrice overflow. It could have been abused to change the BasePrice without anyone noticing it, which could allow for an exchange to lower their proved liabilities. The Hacken team created an illustration of batch proof calculations here.
Hacken L1 Auditor explains everything in detail, including the solution on GitHub.
Link to the pull request on GitHub ⬇️
As guardians of Proof of Reserves, Hacken is dedicated to ensuring exchanges’ transparency. That’s why we contacted the Binance team right away so that they could fix the bug. They responded swiftly.
Hacken’s proposed solution was to add CheckValueInRange for BasePrice which prevents overflow.
After a brief review, Binance team agreed with the feedback and merged Hacken’s commit into binance:main.
We’re thrilled that the world’s largest crypto exchange shares our commitment to transparency. In light of recent events, it is clear that all custodians must prove their net balances.
Learn more in the full independent technical assessment ⬇️
As a trusted blockchain security auditor, Hacken provides all crypto custodians with valid and secure cryptographic verification of equality and debt. We continue working towards the highest security standards. Contact us today to learn more about our Proof of Reserves Audit and how we can help you prove solvency.
Bartosz is one of Europe’s most talented blockchain security experts working as a layer 1 blockchain researcher and auditor at Hacken. He is a certified CCSS Auditor with additional CEP and CBP certifications from CryptoCurrency Certification Consortium (C4) and has a strong engineering background from the Warsaw University of Technology.
His journey in crypto started in 2014 when he bought and mined his first bitcoins. He has been developing secure smart contracts since 2017 and gradually shifted focus toward all layers of blockchain architecture. Since June 2022, Bartosz has worked as a layer 1 blockchain security auditor at Hacken. In less than a year, he detected 30 critical vulnerabilities.
Binance’s case proves that Bartosz is among the most promising talents in blockchain security, with a passion for making Web3 safer. Additional kudos to Yarik and Luke for showing leadership in safeguarding transparency in Web3.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email[contact-form-7 id="8165" title="Subscribe"]