Analyzing the potential attack vulnerabilities of wallets based on the design principles of BRC-20.

Evaluating the Vulnerability of BRC-20 Wallets to Potential Attacks through Design Analysis

Author: Trustless Labs

After in-depth research on BRC-20 code and mechanisms, we discovered possible attack methods against huge holders during the transfer phase. In order to help exchanges check for process specification issues and also practice white hat spirit, we attempted to lock the Binance ORDI hot wallet assets using tested methods, resulting in Binance suspending ORDI withdrawals. We immediately notified the Binance team and communicated the operation details to help Binance resume withdrawals as soon as possible. Three hours later, Binance restored ORDI withdrawals. This article will systematically analyze the reasons for Binance’s suspension of ORDI withdrawals from the design principles of BRC-20, helping everyone understand why anyone can lock your BRC-20 balance.

First, let’s take a look at what happened on-chain on UniSat.

• Europe releases the world’s first AI regulation. What intersection does it have with the crypto asset industry?
• Step into the Future with eTukTuk AI, EV, and Blockchain Investment Opportunity You Can’t Afford to Miss Out on before 2024!
• Google’s “Seemingly Real” AI Demo Draws Accusations of Fakery

This is the Binance ORDI hot wallet balance displayed on UniSat at the time of writing this article, divided into three parts: Transferable, Available, and Balance. This involves three basic concepts in BRC-20: Transferable balance, Available balance, and Overall balance. Transferable balance refers to the balance that can be directly transferred out, Available balance refers to the balance that can be converted into Transferable balance, and Overall balance is the sum of the previous two, representing the current address’s total balance. You may be wondering why, if the current Binance ORDI hot wallet has so much balance, it still cannot withdraw or transfer out. Don’t worry, let’s continue.

BRC-20 transfers require two steps: first, inscribe a transfer inscription, and second, transfer this inscription to the recipient to complete the BRC-20 transfer. Since inscription transfer is based on UTXO, that is, the amount of inscription inscribed in the first step is the only amount of BRC-20 that can be transferred in the second step, the Transferable balance mentioned earlier is also based on UTXO. Let’s take an example to help everyone understand: Suppose A is a newly created address, and then you mint m ORDI to address A or transfer m ORDI from another address to address A. At this point, A’s Available balance and Overall balance are both m, and Transferable balance is 0. Then we transfer n ORDI from address A to address B. In the first step, inscribe an Inscription with an amt of n to address A (this Inscription is valid only if n <= m). At this time, A's Transferable balance is n, Available balance is m – n, and Overall balance is m. In the second step, transfer this Inscription with an amt of n to address B. At this time, A's Available balance and Overall balance are both m – n, Transferable balance is 0, B's Available balance and Overall balance are both n, and Transferable balance is 0. The transfer is complete.

For example, taking the Binance ORDI hot wallet transaction list displayed on UniSat as an example, the Method in the image corresponds to the first step mentioned earlier, inscribe-transfer. The Method corresponding to receive or send is the second step. In addition, the last two transactions in the image together form a complete BRC-20 transfer. The other three inscribe-transfer transactions each inscribe three Inscriptions with amts of 8,210,108, 6,099, and 2,683, respectively. These three Inscriptions together constitute the Transferable balance. So, if you want to transfer ORDI from the Binance ORDI hot wallet, you can only transfer the ORDI corresponding to the three amts, which cannot meet the diverse withdrawal needs of users.

The reason for this situation is that anyone can inscribe any Inscription to any address, so anyone can lock the BRC-20 balance of any address by performing the first step of a BRC-20 transfer. So how should Binance solve the current problem? Actually, it’s quite simple. Just transfer the three Inscriptions mentioned earlier to yourself, and the Transferable balance will be converted back to Available balance. Then, depending on the user’s withdrawal needs, inscribe the Inscription corresponding to the desired amt and make the transfer. However, this can only solve the immediate problem and cannot fundamentally address the issue. Only by improving the protocol itself and resolving the flaws in the current BRC-20 design can a permanent solution be achieved.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!