• On Feb 14, 2023, Hacken researchers identified a bug in the Binance zkSNARK-based Proof of Reserves system.
• Binance announced an upgrade on its proof-of-reserves verification to include zk-SNARKs.
• The Hacken team found 42 vulnerabilities, with 16 exposed to public exploitation, including the possibility of creating fake debt undetectable by a third party.
Binance Upgrades Security With zkSNARK
Binance upgraded their proof of reserves verification system on Feb 10th, 2023 to include zk-SNARKs. This addition was expected to boost transparency and security while preserving user safety and privacy during transactions. Prior to this update, Binance used Merkle tree cryptography for system safety and transparency.
Hacken Identifies Bug in System
On Feb 14th, 2023 Hacken researchers identified a bug in the Binance zkSNARK-based Proof of Reserves system which allowed for the generation of fake accounts and negative balances undetectable by third parties. After identifying the bug they published a report on their findings and alerted the Binance team immediately so that they could resolve the issue.
Vulnerabilities Found
The Hacken team went through all 1157 dependencies on the project and found 42 vulnerabilities with 16 exposed to public exploitation. Of these 42 vulnerabilities, 20 had severe severity while 20 had medium severity with two significant shortcomings discovered on Merkle sum tree; negative balance and privacy issues. The researchers then discovered loopholes allowing for generation of fake user debts undetectable by third parties as well as possibility of creating fake debt due to missing CheckValueInRange validation within BasePrice parameter setting when generating zero knowledge proofs containing batches of 864 users linked through Poseidon hash functions .
Solution Implemented
After discovering these bugs and loopholes in their existing proof of reserves system, Binance immediately responded by generating zero-knowledge proofs containing batches of 864 users interlinked via Poseidon hash functions which addressed both negative balance & privacy issues previously present in Merkle sum tree cryptography .
Open Source Project Benefits Crypto Industry
In response to FTX’s fall many blockchains adopted Merkle Tree Cryptography based systems for increased industry transparency ,which inspired Binance make this project open source which will benefit entire crypto industry (ensuring users feel SAFU).