the BNB Bridge exploit demonstrated that IAVL Merkle proof forgery via hash computation bugs enables arbitrary cross-chain message injection and unbounded token minting

# the BNB Bridge exploit demonstrated that IAVL Merkle proof forgery via hash computation bugs enables arbitrary cross-chain message injection and unbounded token minting On October 6, 2022, an attacker registered as a BNB Bridge Relayer by depositing 100 BNB (routed via ChangeNOW). Using block height 110217401, a legitimately verified historical block hash, the attacker constructed forged cross-chain `IBCReceivePacket` messages that the bridge's native precompile accepted as valid. The forgery relied on two compounding IAVL library bugs: 1. The `proofInnerNode.Hash` function excluded the Right child from hash computation whenever Left was non-empty, enabling arbitrary payload injection into Right without changing the computed root hash. 2. Range proof validation never asserted the structural constraint that inner nodes must have exactly one populated child field, accepting dual-field nodes as valid proof steps. The attacker submitted two transactions, minting 1,000,000 BNB each (total 2,000,000 BNB, approximately $566M to $586M at the time). Rather than attempting to move BNB directly, the attacker deposited 900,000 BNB as collateral on Venus Protocol, borrowed approximately 147.8M in stablecoins (62.4M BUSD, 50M USDT, 35M USDC), and bridged the stablecoins to other EVM chains via Stargate Finance and Multichain in increments. Approximately $137M was exfiltrated before BNB Chain validators coordinated a network halt at block 22,107,423. The Moran Hardfork, deployed October 12, 2022, patched both IAVL library bugs. This incident contrasts with [[bridge validator set compromise enables unauthorized message relay as demonstrated by the Ronin $625M exploit]]: Ronin required compromising five private keys via social engineering; BNB Bridge required exploiting cryptographic implementation bugs in a native precompile. Both result in unauthorized message relay and unbounded minting, via different mechanisms. The vulnerability was structurally outside the scope of standard Solidity auditing because the trust model relied on native precompile cryptographic verification rather than Solidity access control. --- Relevant Notes: - [[bridge validator set compromise enables unauthorized message relay as demonstrated by the Ronin $625M exploit]] -- contrast: different mechanism (key compromise vs proof forgery) producing the same outcome (unauthorized cross-chain message relay) - [[cross-chain bridge cryptographic failures account for 40 percent of total Web3 hack losses through validator key compromise and signature scheme weaknesses]] -- context: BNB Bridge adds a cryptographic implementation failure subclass to the bridge loss taxonomy Topics: - [[exploit-analyses]] - [[vulnerability-patterns]] - [[protocol-mechanics]]