Close Menu
Altcoin ObserverAltcoin Observer
  • Regulation
  • Bitcoin
  • Altcoins
  • Market
  • Analysis
  • DeFi
  • Security
  • Ethereum
Categories
  • Altcoins (1,277)
  • Analysis (1,469)
  • Bitcoin (2,048)
  • Blockchain (1,189)
  • DeFi (1,404)
  • Ethereum (1,411)
  • Event (55)
  • Exclusive Deep Dive (1)
  • Landscape Ads (2)
  • Market (1,447)
  • Press Releases (1)
  • Reddit (701)
  • Regulation (1,345)
  • Security (1,940)
  • Thought Leadership (2)
  • Uncategorized (1)
  • Videos (41)
Hand picked
  • The update of the Ethereum pectra meets expectations, the edges closer to Fusaka
  • Coinbase paid $6.2M for Brian Armstrong armed guards last year; but your name, address, account balance is now public; your life means 0
  • The IMF is alarmed while Pakistan declares the bitcoin reserve daring
  • FTX Recovery Trust starts $ 5 billion for creditors
  • The BlackRock FNB Bitcoin Bitcoin pays $ 430 million, its biggest outing of a day
We are social
  • Facebook
  • Twitter
  • Instagram
  • YouTube
Facebook X (Twitter) Instagram
  • About us
  • Disclaimer
  • Terms of service
  • Privacy policy
  • Contact us
Facebook X (Twitter) Instagram YouTube LinkedIn
Altcoin ObserverAltcoin Observer
  • Regulation
  • Bitcoin
  • Altcoins
  • Market
  • Analysis
  • DeFi
  • Security
  • Ethereum
Events
Altcoin ObserverAltcoin Observer
Home»Ethereum»CVE-2025-30147-The curious case of verification of the subgroup on Besu
Ethereum

CVE-2025-30147-The curious case of verification of the subgroup on Besu

May 7, 2025No Comments8 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Eth org.jpeg
Share
Facebook Twitter LinkedIn Pinterest Email


Thanks to Marius Van der Wijden for creating the test case and Statest, and for helping the Besu team confirm the problem. In addition, congratulations to the Besu team, the EF security team and Kevaundray Wedderburn. In addition, thanks to Justin Traglia, Marius van der Wijden, Benedikt Wagner and Kevaundray Wedderburn for proofreading. If you have any other questions / comments, find me on Twitter in @ASANSO

tl; DR:: Besu Ethereum Execution Customer Version 25.2.2 suffered from a consensus problem linked to EIP-196/ /EIP-197 Management of precompiled contracts for the elliptical curve alt_bn128 (AKA BN254). The problem was resolved to the release 25.3.0.
Here is the full CVE report.

Nb: Part of this article requires knowledge on elliptical curves (cryptography).

Introduction

THE BN254 curve (also known as alt_bn128) is an elliptical curve used in Ethereum for cryptographic operations. It supports operations such as elliptical cryptography of the curve, which makes it crucial for various Ethereum features. Before EIP-2537 and the recent version of Pectra, BN254 was the only matching curve supported by the Ethereum virtual machine (EVM). EIP-196 And EIP-197 Define the precompiled contracts for an effective calculation on this curve. For more details on BN254you can read here.

Significant security vulnerability in elliptical curve cryptography is the Und valid curve attackfirst introduced into the newspaper “Differential defect attacks against elliptical curve cryptosystems”. This attack targets the use of points that are not on the right elliptical curve, leading to potential security problems in cryptographic protocols. For unpaid (like those appearing in cryptography based on twins and in G2G_2G2​ For BN254), it is particularly important that the point is in the correct subgroup. If the point does not belong to the correct subgroup, cryptographic functioning can be manipulated, potentially compromising the safety of systems based on the cryptography of the elliptical curve.

To check if a point P is valid in the cryptography of the elliptical curve, it must be verified that the point is on the curve and belongs to the correct subgroup. This is particularly critical when the point P comes from an unreliable or potentially malicious source, because the invalid or specially designed points can lead to safety vulnerabilities. You will find below pseudocode demonstrating this process:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_on_curve(P):    
        return False
    if not is_in_subgroup(P):
        return False
    return True

Subgroup’s membership verification

As mentioned above, when you work with any point of unknown origin, it is crucial to check that it belongs to the correct subgroup, in addition to confirming that the point is on the correct curve. For BN254It is only necessary for G2G_2G2​because G1G_1G1​ is main. A simple method to test belonging to GGG is to multiply a point by RRROr RRR is the cofactor of the curve, which is the relationship between the order of the curve and the order of the basic point.

However, this method can be costly in practice due to the large size of the premium RRRespecially for G2G_2G2​. In 2021, Scott proposed A faster method for support for sub-groups on the BLS12 curves using a EndomorphismWhich makes the 2 ×, 4 × and 4 × process faster for different groups (This technique is that specified in EIP-2537 for rapid checks of subgroups, as detailed in This document). Later, Dai et al. Generalized Scott technique To work for a larger range of curves, including BN curves, reducing the number of operations required for membership checks of the subgroup. In some cases, the process can be almost free. Koshelev also introduced a method for non -friendly curves Use of tape pairingwhich was finally further Generalized to curves adapted to matching.

The real shaded slim

As you can see in the chronology at the end of this post, we received a report on a bug affecting Pectra EIP-2537 on Besu, subject via the Pectra audit competition. We only approach this question here, in case the original journalist wants to cover him in more detail. This message focuses specifically on the BN254 EIP-196/ /EIP-197 vulnerability.

The original journalist observed that in Besu, the is_in_subgroup The check was made before is_on_curve check. Here is an example of what it might look like:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        if not is_on_curve(P):
            return False  
        return False
    return True

Intrigued by the above problem on the BLS curve, we decided to take a look at the Besu code for the BN curve. To my surprise, we found something like that::

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        return False
    return True

Wait, what? Where is the is_on_curve check? Exactly-There is none !!!

Now, to potentially bypass the is_valid_point function, all you would need to do is provide a point This lies in the correct subgroup but is not really on the curve.

But wait – is it even possible?

Well, yes, but only for special and well -chosen curves. More specifically, if two curves are isomorphicThey share the same group structure, which means that you can develop a point of the isomorphic curve which passes from subgroup checks but is not on the planned curve.

Sneaky, right?

Have you said isomorpshism?

Do not hesitate to ignore this section if you are not interested in details – we will go a little further in mathematics.

To leave Fq\ mathbb {f} _QFq​ to be a finished field with a different characteristic of 2 and 3, which means q=pFq = p ^ fq=pF For an overview p≥5P \ Geq 5p≥5 and whole F≥1F \ Geq 1F≥1. We consider the elliptical curves EEE on Fq\ mathbb {f} _QFq​ Given by the short equation of Weierstraß:

Y2=X3+AX+By ^ 2 = x ^ 3 + ax + b Y2=X3+AX+B

Or AAA And BBB Are the constants satisfactory 4A3+27B2≠04a ^ 3 + 27b ^ 2 \ Neq 04A3+27B2=0. ^ (This condition guarantees that the curve is non-sorner; If it were raped, the equation would define a singular point without a well-defined tangent, which makes it impossible to perform a significant self-addition. In such cases, the object is not technically an elliptical curve.)

Curve isomorphisms

Two elliptical curves are considered isomorphic^ (To exploit the vulnerabilities described here, we really want isomorphic curves, not just isogene Curves.) If they can be linked by a change refinement of variables. These transformations preserve the structure of the group and guarantee that the addition of points remains coherent. We can show that the only possible transformations between two curves in the form of Weaierstraß Courts take the form:

(X,,Y))↦(e2X,,e3Y))(x, y) \ MAPSTO (E ^ 2 x, E ^ 3 Y)(X,,Y))↦(e2X,,e3Y))

for a little zero e∈Fqe \ in \ mathbb {f} _Qe∈Fq​. The application of this transformation to the equation of the curve is reflected:

Y2=X3+Ae4X+Be6y ^ 2 = x ^ 3 + ae ^ {4} x + be ^ {6}Y2=X3+Ae4X+Be6

THE JJJ-Invariant of a curve is defined as:

J=17284A34A3+27B2J = 1728 \ FRAC {4a ^ 3} {4a ^ 3 + 27b ^ 2}J=17284A3+27B24A3​

Each element of Fq\ mathbb {f} _QFq​ can be a possible JJJ-Invariant. ^ (The BL and BN curves have a j-invariant equal to 0, which is Truly special.) When two elliptical curves share the same thing JJJ-Invariant, they are either isomorphic (in the direction described above) or they are twists and turns each other. ^ (We omit the discussion on twists and turns here, because they are not relevant to this case.)

Exploitability

At this point, it only remains to develop an appropriate point on a carefully chosen curve, and that’s it –The game is done.

You can try the test vector using This link And enjoy the ride.

Conclusion

In this article, we explored the vulnerability of the implementation of Besu elliptical curve checks. This defect, if it is used, could allow an attacker to develop a point that passes from membership checks to the subgroup but is not on the real curve. The Besu team has since addressed this problem in version 25.3.0. Although the problem was isolated in Besu and did not affect other customers, differences like this raise important concerns for multi-other ecosystems like Ethereum. A discrepancy in cryptographic controls between customers can lead to divergent behavior – where a customer accepts a transaction or block another reject. This type of inconsistency can compromise consensus and undermine confidence in network uniformity, in particular when subtle bugs remain unnoticed between implementations. This incident highlights why rigorous tests and robust security practices are absolutely essential, especially in blockchain systems, where even minor cryptographic schemes can collapse in major systemic vulnerabilities. Initiatives like the Pectra audit competition play a crucial role in the overhaul of these problems before achieving production. By encouraging various eyes to examine the code, these efforts strengthen the overall resilience of the ecosystem.

Chronology

  • 15-03-2025-Bug affecting Pectra EIP-2537 on Besu reported via the Pectra audit competition.
  • 17-03-2025-Discovered and reported the EIP-196 / EIP-197 number to the Besu team.
  • 17-03-2025-Marius van der Wijden created a test case and a state to reproduce the problem.
  • 17-03-2025-The Besu team quickly recognized and fixed the problem.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleThe Federal Reserve has decided to leave interest rates unchanged
Next Article What to know as Genius Stablecoin Act heads for the Senate vote

Related Posts

Ethereum

The update of the Ethereum pectra meets expectations, the edges closer to Fusaka

June 1, 2025
Ethereum

Ethereum joins bitcoin in the red – volatility is looming in advance

May 31, 2025
Ethereum

How intelligent EOAs redefine the portfolio experience

May 31, 2025
Add A Comment
Leave A Reply Cancel Reply

Single Page Post
Share
  • Facebook
  • Twitter
  • Instagram
  • YouTube
Featured Content
Event

Kenya to Host Africa’s Leading Blockchain & Crypto Conference in June 2025 

May 30, 2025

Nairobi, Kenya – May 2025 — Africa’s rapidly evolving blockchain ecosystem will take center stage…

Event

Crypto Vision Conference 2025: A Breakthrough Day for Web3 in the Philippines

May 29, 2025

Makati City, Philippines — April 26, 2025 — The AIM Conference Center was a hub…

1 2 3 … 48 Next
  • Facebook
  • Twitter
  • Instagram
  • YouTube

FTX Recovery Trust starts $ 5 billion for creditors

May 31, 2025

Trump Panic? The whale draws $ 4 million in the middle of the second warning of “no protection”

May 31, 2025

Bitcoin is still in a strong upward trend despite the loss of the level of major support, explains Trader – here is his prospects

May 31, 2025
Facebook X (Twitter) Instagram LinkedIn
  • About us
  • Disclaimer
  • Terms of service
  • Privacy policy
  • Contact us
© 2025 Altcoin Observer. all rights reserved by Tech Team.

Type above and press Enter to search. Press Esc to cancel.

bitcoin
Bitcoin (BTC) $ 104,472.99
ethereum
Ethereum (ETH) $ 2,523.45
tether
Tether (USDT) $ 1.00
xrp
XRP (XRP) $ 2.17
bnb
BNB (BNB) $ 656.70
solana
Solana (SOL) $ 156.10
usd-coin
USDC (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.191597
tron
TRON (TRX) $ 0.265354
cardano
Cardano (ADA) $ 0.680873