ResearchTrend.AI
27
0

BRC20 Pinning Attack

Minfeng Qi
Qin Wang
Zhipeng Wang
Lin Zhong
Tianqing Zhu
Shiping Chen
William Knottenbelt
ArXivPDFHTML
Abstract

BRC20 tokens are a type of non-fungible asset on the Bitcoin network. They allow users to embed customized content within Bitcoin satoshis. The related token frenzy has reached a market size of US2,650boverthepastyear(2023Q32024Q3).However,thisintuitivedesignhasnotundergoneserioussecurityscrutiny.WepresentthefirstindepthanalysisoftheBRC20transfermechanismandidentifyacriticalattackvector.AtypicalBRC20transferinvolvestwobundledonchaintransactionswithdifferentfeelevels:thefirst(i.e.,Tx1)withalowerfeeinscribesthetransferrequest,whilethesecond(i.e.,Tx2)withahigherfeefinalizestheactualtransfer.Wefindthatanadversarycanexploitthisbysendingamanipulatedfeetransaction(fallingbetweenthetwofeelevels),whichallowsTx1tobeprocessedwhileTx2remainspinnedinthemempool.ThislockstheBRC20liquidityanddisruptsnormaltransfersforusers.WetermthisBRC20pinningattack.Ourattackexposesaninherentdesignflawthatcanbeappliedto90+inscriptionbasedtokenswithintheBitcoinecosystem.WealsoconductedtheattackonBinancesORDIhotwallet(themostprevalentBRC20tokenandthemostactivewallet),resultinginatemporarysuspensionofORDIwithdrawalsonBinancefor3.5hours,whichwereshortlyresumedafterourcommunication.2,650b over the past year (2023Q3-2024Q3). However, this intuitive design has not undergone serious security scrutiny. We present the first in-depth analysis of the BRC20 transfer mechanism and identify a critical attack vector. A typical BRC20 transfer involves two bundled on-chain transactions with different fee levels: the first (i.e., Tx1) with a lower fee inscribes the transfer request, while the second (i.e., Tx2) with a higher fee finalizes the actual transfer. We find that an adversary can exploit this by sending a manipulated fee transaction (falling between the two fee levels), which allows Tx1 to be processed while Tx2 remains pinned in the mempool. This locks the BRC20 liquidity and disrupts normal transfers for users. We term this BRC20 pinning attack. Our attack exposes an inherent design flaw that can be applied to 90+% inscription-based tokens within the Bitcoin ecosystem. We also conducted the attack on Binance's ORDI hot wallet (the most prevalent BRC20 token and the most active wallet), resulting in a temporary suspension of ORDI withdrawals on Binance for 3.5 hours, which were shortly resumed after our communication.

View on arXiv
Comments on this paper