A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).

So, this bug existed in the Binance Smart Chain (BSC) Token Hub. The BSC Token Hub was a bridge that facilitated transactions between the Beancon chain and the Binance Smart Chain. These “bridge” smart applications act as a bridge, they run on both chains and relayers will submit the cross-chain communications between the bridges on each blockchain.

The vulnerable comes in validation process of a new transaction. Each node of the tree should be a the hash from the concatenation of its two child nodes. So you start at the bottom and compare hashes all the way up you can prove the contents were not modified. The problem is that when a new node is added, you can end up in a state where the parent node only has one child.

The Hash method attempts to tackle this by checking if the left child is set. If it is not set, it’ll go forward using the right child. So that makes sense, but there is no handling or check for both child nodes being set. In the else of the condition it just uses the left child, ignoring the right child so the right child doesn’t impact the hash of the node.

This verification bug allowed attackers to drop in a malicious payload sending themselves 1 million BSC into the right node, and have it pass validation. Doing this twice to steal 2 million BSC.

A path traversal type issue in Kardex MLOG due to not properly handling windows path separators. The service’s GetFilehandler would check for an /api and /image slug, and if neither were present it would fall back on trying to construct a filename. While it would strip forward slashes (/), it ignored windows backslash separators (\). Additionally, since Windows supports remote paths via \\, it was possible to include a remote file from an attacker.

Taking this to RCE was straightforward, as if the file extension was t4 it would pass it through the template engine and effectively result in a Server-Side Template Injection (SSTI). As the template engine supported C#, RCE was trivial.