Hackers teach you how to use 0.01 BNB to "free" CZ

Author: 23pds & Thinking

Editor: Sherry

background

Yesterday, when I was still sorting out the APT attack-related material, Shan Ge (@im23pds) suddenly came to my station excitedly: "Thinking, I found an interesting project. CZ is used at high frequency, so we may be able to cost 0 and CZ Say Hi." So we quickly formulated several possible vulnerabilities:

• Hijack CZ's account on ReachMe;
• Change the settings of CZ in ReachMe;
• No money to send messages to CZ, bypassing the limit that it costs 1 BNB to send messages to him.

About 10 minutes later, we discovered a vulnerability that can be used at low cost and at any user Say Hi, so we contacted the project team as soon as possible and provided details of vulnerability verification. The project team also quickly fixed the vulnerability as soon as possible and contacted us for retesting. Like the ReachMe team's attitude towards safety issues seriously and rigorously!

 (https://x.com/SlowMist_Team/status/1905212712956665896)

In addition, the Slow Fog Safety Team is honored to receive the recognition from the CZ and ReachMe project teams.

 (https://x.com/cz_binance/status/1905240886986039437)

Discovery process

ReachMe.io is a paid chat platform based on BNB Chain, aiming to connect KOLs (key opinion leaders) with fans through cryptocurrency payment mechanisms. Users need to pay BNB to send private messages to KOLs, and KOLs can receive a 90% fee (10% commission on the platform); if KOL does not reply within 5 days, users can receive a 50% refund.

On March 27, 2025, Binance founder CZ changed his X account profile to: "DM: https://reachme.io/@cz_binance (fees go to charity)", that is, "DM me on ReachMe, the fees will be used for charity."

We can see that the cost of CZ Say Hi is 1 BNB, so we envisioned some solutions and tried it to see how to bypass the limit of 1 BNB to CZ Say Hi.

After a while of research with Brother Shan, we found that when ReachMe sends a message to any KOL, it will generate a summary of the message through the "/api/kol/message" interface, which contains the "_id" field. This field is attached to the on-chain contract Function: deposit(string _identifier,address _kolAddress) when sending a message, and the corresponding _identifier field is used.

And sending the BNB that comes with the message to the KOL is actually the number of BNBs attached to the contract Function: deposit. So we constructed a transaction to send the "_identifier" corresponding to the message of "Hi CZ" and the address of the CZ, and to send the 0.01 BNB (the minimum required is 0.001 BNB) to the contract.

Since ReachMe did not place the preset message sending costs of KOLs in the contract for detection at the beginning of its design (perhaps to facilitate KOLs to better adjust the price of messages at any time and save gas fees?), it can bypass the 1 BNB limit by modifying the front-end code, modifying the network response package, or directly interacting with the contract. This is because the server also misses the check of the message price and the number of BNBs transactions on the chain when retrieving transactions on the chain.

So we took about 10 minutes to successfully bypass the rule that it would cost 1 BNB to talk to CZ, and only cost 0.01 BNB to get to CZ Say Hi.

In addition, it is worth noting that there are actually more deeper uses, such as: sending interesting messages to CZ and conducting spear phishing? Given that CZ has a great influence, I gave up this part of the test later. Everyone should pay more attention to safety and be careful about fishing.

Summarize

This type of product design that combines centralization and decentralization often leads to inconsistent security checks on-chain and off-chain. Therefore, an attacker can bypass certain inspection restrictions by analyzing the interaction process on and off the chain. The Slow Fog Security Team recommends that the project party synchronize necessary security check items in the on-chain and off-chain codes as much as possible to avoid the possibility of being bypassed. At the same time, it is recommended to hire a professional security team for security audits to identify potential security risks and prevent them.