CEFI

Binance called out for "Token Authorization Limit" risk control issue! Binance: Actively optimizing the pledging process to reduce risks

share
Binance called out for "Token Authorization Limit" risk control issue! Binance: Actively optimizing the pledging process to reduce risks

The blockchain data research organization Dilation Effect and Wu Shuo Blockchain jointly released a review of wallet addresses for multiple exchanges and institutions yesterday. Upon inspection, discrepancies were found in the token authorization limits of Binance and Kucoin wallet addresses, indicating certain security management issues.

Review of Exchange and Institutional Wallet Security

This research article by Dilation Effect evaluates three wallet addresses from Binance, Kucoin, and Jump Trading, pointing out the security issues each address may have.

Case One: Binance

In this case, the Binance address holds the highest asset balance on Binance, with $10 billion on Ethereum alone, totaling $16.1 billion across other chains.

After using Etherscan's token approval tool for a preliminary check, it was found that around $3.2 billion in assets are at risk.

Further examination of the token approval limits for different tokens revealed inconsistencies, with some tokens having limits and others having unlimited approvals.

Dilation Effect also noted that BUSD, Matic, SHIB, and SAND, with substantial balances, have no approval limits, with balances of $1.9 billion, $460 million, $260 million, and $140 million, respectively.

Dilation Effect highlighted three clear issues regarding this phenomenon:

  1. Lack of regular contract authorization cleaning: The authorization contracts for BUSD have not been cleaned for over two years, indicating a lack of attention to this aspect of internal security management at Binance. Even after analyzing related authorization contracts, risks related to managing third-party protocol integrations should be addressed.
  2. Significant token approvals without limits: Limiting authorization in extreme scenarios can help reduce losses from potential attacks.
  3. Inconsistent token approval rules: Some tokens have limits while others do not, indicating unclear internal security management or division of responsibilities.

Case Two: Kucoin

In this case, the Kucoin wallet address holds $1.7 billion on Ethereum and $1.9 billion across other chains.

Similarly, after using Etherscan's token approval tool for a preliminary check, it was found that around $1.1 billion in assets are at risk. There are also inconsistencies in token approval rules similar to Binance.

Further investigation by Dilation Effect revealed two concerning signs:

  1. The APE at this address authorized the Multichain cross-chain Router contract last April, but Kucoin has yet to revoke the authorization following reports of Multichain team arrests last week, indicating Kucoin's emergency response issues.
  2. All major tokens at this address are authorized to a contract named Bridge with unlimited token approval limits. Dilation Effect analysis revealed this contract as the cross-chain bridge contract for KuCoin's community chain KCC, lacking relevant security audit reports and posing risks.

Case Three: Jump Trading

Financial institution Jump Trading's address holds $140 million on Ethereum and $150 million across other chains.

After using Etherscan's token approval tool for a preliminary check, around $25 million in assets were found to be at risk. Unlike the previous two cases, Jump Trading has fewer token approvals, all with limits, indicating better security management.

The only concern is the unlimited approval of USDC to Curve in 2021 that has not been revoked. Dilation Effect recommends revoking authorizations for contracts not in use.

Binance's Response to Security Issues

The checks done by Dilation Effect are not overly complicated, and with patience, one can refer to their methods for checking wallet addresses.

In response to the issues raised in the article, Binance has responded today.

Binance stated that the team is optimizing the pledging process to reduce any potential smart contract risks, setting authorization limits for different tokens, and will revoke pledges after completing the contracts.