Author: 23pds & Thinking
Editor: Sherry
Background
Yesterday, while I was organizing materials related to APT attacks, Shan Ge (@im23pds) suddenly excitedly came to my workstation: "Thinking, I found an interesting project that CZ frequently uses. We might be able to say hi to CZ at zero cost." So we quickly drafted several possible vulnerability points:
- Hijacking CZ's account on ReachMe;
- Changing CZ's settings on ReachMe;
- Sending messages to CZ without spending money, bypassing the 1 BNB fee for messaging him.
About 10 minutes later, we discovered a vulnerability on ReachMe.io that allowed us to say hi to any user at a low cost, so we immediately contacted the project team and provided details for vulnerability verification. The project team quickly fixed the vulnerability and contacted us for retesting. Kudos to the ReachMe team for their serious and rigorous attitude towards security issues!
(https://x.com/SlowMist_Team/status/1905212712956665896)
In addition, the SlowMist security team is honored to receive thanks from CZ and the ReachMe project team.
(https://x.com/cz_binance/status/1905240886986039437)
Discovery Process
ReachMe.io is a paid chat platform based on the BNB Chain, designed to connect KOLs (Key Opinion Leaders) with fans through a cryptocurrency payment mechanism. Users must pay BNB to send private messages to KOLs, who receive 90% of the fees (with the platform taking a 10% cut); if a KOL does not respond within 5 days, the user can receive a 50% refund.
On March 27, 2025, Binance founder CZ changed his X account bio to: "DM: https://reachme.io/@cz_binance (fees go to charity)," meaning "DM me on ReachMe, and the fees will go to charity."
We can see that the cost to say hi to CZ is 1 BNB, so we brainstormed some solutions and tried to find ways to bypass the 1 BNB limit to say hi to CZ.
After some research with Shan Ge, we found that when sending messages to any KOL, ReachMe generates a summary of the message through the "/api/kol/message" interface, which includes the "_id" field. This field is attached to the on-chain contract Function: deposit(string _identifier, address _kolAddress) when sending a message, corresponding to the _identifier field.
Moreover, the BNB sent along with the message to the KOL is actually the amount of BNB attached to the contract Function: deposit. Therefore, we constructed a transaction that sent the "_identifier" corresponding to the message "Hi CZ" along with CZ's address and attached 0.01 BNB (the minimum required is only 0.001 BNB) to the contract.
Since ReachMe did not initially set the messaging cost for KOLs in the contract for detection (perhaps to allow KOLs to adjust message prices more conveniently and save on gas fees?), it was possible to bypass the 1 BNB limit by modifying the front-end code, altering the network response package, or directly interacting with the contract. This was due to the server's oversight in checking the message price against the BNB amount in the on-chain transaction.
Thus, we spent about 10 minutes successfully bypassing the rule that required 1 BNB to talk to CZ, allowing us to say hi to CZ for only 0.01 BNB.
Additionally, it is worth noting that there are even deeper utilizations, such as sending CZ interesting messages for phishing? Given CZ's significant influence, we later abandoned this part of the testing, and everyone should also pay attention to security and beware of phishing.
Conclusion
This type of product design that combines centralized and decentralized elements often leads to inconsistencies in security checks between on-chain and off-chain. Therefore, attackers can bypass certain checks by analyzing the interaction processes between on-chain and off-chain. The SlowMist security team recommends that project teams synchronize necessary security checks in both on-chain and off-chain code as much as possible to avoid the possibility of being bypassed. Additionally, it is advisable to hire a professional security team for security audits to identify and mitigate potential security risks.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
