Vulnerability found in Binance reserve audit mechanism

Algorithm used by the Binance cryptocurrency exchange Proof-of-Reserves (PoR) contains a vulnerability related to the lending function and the accounting of so-called fictitious users. About it stated Enrico Bottazzi, an expert at the research organization Privacy Scaling Explorations.

We are talking about non-existent accounts with an equity (positive) position in low-liquid assets and a debt (negative) position in high-liquid products.

The expert described in detail the scenario of a potential attack, when a fictitious user takes out a loan in one cryptocurrency, using another as collateral.

He added that if a user withdraws highly liquid coins, the exchange would not necessarily immediately receive them at its disposal and would be obliged to liquidate low-liquid assets.

Bottazzi named a potential solution to changing the PoR protocol by adding additional information about the collateral and assets of each client to the algorithm.

For its part, Binance previously suggested incorporate lending business logic into the zk-SNARK scheme. This involves creating a third “collateral” field in the token configuration for each user, indicating the number of coins used as collateral for borrowing other assets.

Latest Binance PoR report dated 1st of May. According to the document, 581,758 BTC (more than $35 billion) are stored in user accounts of the exchange. The platform's Bitcoin reserves exceed 106%.

In December 2022, Binance was ranked last for quality of PoR solution by Castle Island Ventures general partner Nick Carter. According to the expert’s conclusions, the exchange does not disclose the full scope of obligations, which makes it difficult for a third party to verify the procedure.