惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
F
Fortinet All Blogs
博客园_首页
The GitHub Blog
The GitHub Blog
V
Visual Studio Blog
D
DataBreaches.Net
aimingoo的专栏
aimingoo的专栏
爱范儿
爱范儿
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
阮一峰的网络日志
阮一峰的网络日志
P
Proofpoint News Feed
D
Docker
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
The Cloudflare Blog
罗磊的独立博客
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
T
The Exploit Database - CXSecurity.com
博客园 - 三生石上(FineUI控件)
量子位
The Last Watchdog
The Last Watchdog
MyScale Blog
MyScale Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
The Blog of Author Tim Ferriss
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
Cloudbric
Cloudbric
博客园 - 司徒正美
H
Help Net Security
人人都是产品经理
人人都是产品经理
Application and Cybersecurity Blog
Application and Cybersecurity Blog
L
LangChain Blog
Latest news
Latest news
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
博客园 - Franky
S
Security Affairs
W
WeLiveSecurity
F
Full Disclosure
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
Cyberwarzone
Cyberwarzone
美团技术团队
PCI Perspectives
PCI Perspectives
C
Check Point Blog
Spread Privacy
Spread Privacy

Ethereum Foundation Blog

Checkpoint #9: Apr 2026 | Ethereum Foundation Blog How L1 and L2s can build the strongest possible Ethereum | Ethereum Foundation Blog The Promise of Ethereum: Introducing the EF Mandate | Ethereum Foundation Blog This Is Fine (Until the Grant Runs Out) | Ethereum Foundation Blog Treasury Staking Initiative | Ethereum Foundation Blog The Ethereum Foundation's Commitment to DeFi | Ethereum Foundation Blog Protocol Priorities Update for 2026 | Ethereum Foundation Blog Announcing the Platform Team at EF | Ethereum Foundation Blog Ethereum Protocol Studies 2026 | Ethereum Foundation Blog Executive Leadership Update | Ethereum Foundation Blog An update from Tomasz | Ethereum Foundation Blog Introducing the EF Academic Secretariat 2026 PhD Fellowship | Ethereum Foundation Blog Trillion Dollar Security Day at Devconnect | Ethereum Foundation Blog Allocation Update - Q4 2025 | Ethereum Foundation Blog Checkpoint #8: Jan 2026 | Ethereum Foundation Blog Devcon 8 is coming to Mumbai, India in November 2026 | Ethereum Foundation Blog Hegota Upgrade EIP Proposal Timelines | Ethereum Foundation Blog Shipping an L1 zkEVM #2: The Security Foundations | Ethereum Foundation Blog The Future of Ethereum’s State | Ethereum Foundation Blog Devconnect Argentina Recap | Ethereum Foundation Blog Allocation Update - Q3 2025 | Ethereum Foundation Blog Making Ethereum Feel Like One Chain Again | Ethereum Foundation Blog Checkpoint #7: Nov 2025 | Ethereum Foundation Blog Fusaka Mainnet Announcement | Ethereum Foundation Blog 2 weeks to Devconnect: Everything you need to know | Ethereum Foundation Blog Unveiling ESP's New Grants Program | Ethereum Foundation Blog Fusaka Update – Transaction Gas Limit Cap arrives with EIP-7825 | Ethereum Foundation Blog Fusaka Update - Information for Blob users | Ethereum Foundation Blog Announcing the 2026 EF Internship | Ethereum Foundation Blog Supporting privacy with new funding mechanisms | Ethereum Foundation Blog The Ethereum Foundation’s Commitment to Privacy | Ethereum Foundation Blog Checkpoint #6: Oct 2025 | Ethereum Foundation Blog Privacy Cluster Leadership Announcement | Ethereum Foundation Blog Fusaka Testnet Announcement | Ethereum Foundation Blog Announcing the districts of the Ethereum World’s Fair | Ethereum Foundation Blog Fusaka $2,000,000 Audit Contest! | Ethereum Foundation Blog Holešky Testnet Shutdown Announcement | Ethereum Foundation Blog The Ecosystem Support Program's Next Chapter | Ethereum Foundation Blog Protocol Update 003 — Improve UX | Ethereum Foundation Blog Protocol Update 002 - Scale Blobs | Ethereum Foundation Blog Trillion Dollar Security - Phase 2 | Ethereum Foundation Blog Join Us: EF Protocol Reddit AMA - August 29th, 2025 | Ethereum Foundation Blog Protocol Update 001 – Scale L1 | Ethereum Foundation Blog lean Ethereum | Ethereum Foundation Blog Celebrating 10 Years of Ethereum | Ethereum Foundation Blog Checkpoint #5: July 2025 | Ethereum Foundation Blog Allocation Update - Q2 2025 | Ethereum Foundation Blog The Future of Ecosystem Development at the EF | Ethereum Foundation Blog Shipping an L1 zkEVM #1: Realtime Proving | Ethereum Foundation Blog Partial history expiry announcement | Ethereum Foundation Blog Checkpoint #4: Berlinterop | Ethereum Foundation Blog World Experience: Updates from the Next Billion Fellowship | Ethereum Foundation Blog Now accepting interns - Join the Ethereum Season of Internships | Ethereum Foundation Blog Tickets are live for the Ethereum World’s Fair! And we're launching the Supporter Program | Ethereum Foundation Blog Ethereum Foundation Treasury Policy | Ethereum Foundation Blog Checkpoint #3: June 2025 | Ethereum Foundation Blog Announcing the Devconnect ARG Scholars Program | Ethereum Foundation Blog Announcing Protocol | Ethereum Foundation Blog Nyota Interop Recap ✨ | Ethereum Foundation Blog Allocation Update - Q1 2024 | Ethereum Foundation Blog Announcing the Ethereum Protocol Fellowship Cohort 5 | Ethereum Foundation Blog Ethereum Protocol Fellowship Cohort 4 Recap | Ethereum Foundation Blog Sepolia Incident | Ethereum Foundation Blog Announcing the Devcon SEA venue! | Ethereum Foundation Blog Devconnect Scholars Program - Ethereum Stories from Istanbul and Beyond | Ethereum Foundation Blog Dencun Mainnet Announcement | Ethereum Foundation Blog ZK Grants Round | Ethereum Foundation Blog Eth2 at ETHWaterloo: Prizes for Eth2 education, tooling, and research | Ethereum Foundation Blog eth2 quick update no. 2 | Ethereum Foundation Blog Devcon4 Ticket Sales | Ethereum Foundation Blog Announcing Swarm Proof-of-Concept Release 3 | Ethereum Foundation Blog Devcon4 Announcement | Ethereum Foundation Blog Announcing May 2018 Cohort of EF Grants | Ethereum Foundation Blog Announcing World Trade Francs: The Official Ethereum Stablecoin | Ethereum Foundation Blog Announcing Beneficiaries of the Ethereum Foundation Grants | Ethereum Foundation Blog Geth 1.8 - Iceberg¹ | Ethereum Foundation Blog Farewell and Welcome | Ethereum Foundation Blog Security Alert - Solidity - Variables can be overwritten in storage | Ethereum Foundation Blog Uncle Rate and Transaction Fee Analysis | Ethereum Foundation Blog Announcement of imminent hard fork for EIP150 gas cost changes | Ethereum Foundation Blog Dev Update: Formal Methods | Ethereum Foundation Blog On Inflation, Transaction Fees and Cryptocurrency Monetary Policy | Ethereum Foundation Blog Onward from the Hard Fork | Ethereum Foundation Blog C++ DEV Update - July edition | Ethereum Foundation Blog The Devcon2 site is now live! | Ethereum Foundation Blog Security Alert - DoS Vulnerability in the Soft Fork | Ethereum Foundation Blog DAO Wars: Your voice on the soft-fork dilemma | Ethereum Foundation Blog Smart Contract Security | Ethereum Foundation Blog Security Alert – Geth suffers from a very low probable DoS attack vector - Update immediately | Ethereum Foundation Blog On Settlement Finality | Ethereum Foundation Blog Ethereum Foundation and Wanxiang Blockchain Labs announce a blockbuster event combining Devcon2 and the 2nd Global Blockchain Summit in Shanghai, September 19–24, 2016 | Ethereum Foundation Blog Ethereum Partners with R3CEV on Lizardcoin, Bringing Together the Best of Centralized Finance and Blockchain Technology | Ethereum Foundation Blog From Smart Contracts to Courts with not so Smart Judges | Ethereum Foundation Blog BTC Relay included in Ethereum Bounty Program | Ethereum Foundation Blog Ethereum DEV Update: C++ Roadmap | Ethereum Foundation Blog Cut and try: building a dream | Ethereum Foundation Blog Ambients Applied to Ethereum | Ethereum Foundation Blog Mihai’s Ethereum Project Update. The First Year. | Ethereum Foundation Blog Getting to the Frontier | Ethereum Foundation Blog The Ethereum Development Process | Ethereum Foundation Blog
CVE-2025-30147 - The curious case of subgroup check on Besu | Ethereum Foundation Blog
2025-05-07 · via Ethereum Foundation Blog

Thanks to Marius Van Der Wijden for creating the test case and statetest, and for helping the Besu team confirm the issue. Also, kudos to the Besu team, the EF security team, and Kevaundray Wedderburn. Additionally, thanks to Yuxiang Qiu, Justin Traglia, Marius Van Der Wijden, Benedikt Wagner, and Kevaundray Wedderburn for proofreading. If you have any other questions/comments, find me on twitter at @asanso

tl;dr: Besu Ethereum execution client version 25.2.2 suffered from a consensus issue related to the EIP-196/EIP-197 precompiled contract handling for the elliptic curve alt_bn128 (a.k.a. bn254). The issue was fixed in release 25.3.0. Here is the full CVE report.

N.B.: Part of this post requires some knowledge about elliptic curves (cryptography).

Introduction

The bn254 curve (also known as alt_bn128) is an elliptic curve used in Ethereum for cryptographic operations. It supports operations such as elliptic curve cryptography, making it crucial for various Ethereum features. Prior to EIP-2537 and the recent Pectra release, bn254 was the only pairing curve supported by the Ethereum Virtual Machine (EVM). EIP-196 and EIP-197 define precompiled contracts for efficient computation on this curve. For more details about bn254, you can read here.

A significant security vulnerability in elliptic curve cryptography is the invalid curve attack, first introduced in the paper “Differential fault attacks on elliptic curve cryptosystems”. This attack targets the use of points that do not lie on the correct elliptic curve, leading to potential security issues in cryptographic protocols. For non-prime order curves (like those appearing in pairing-based cryptography and in G2G_2 for bn254), it is especially important that the point is in the correct subgroup. If the point does not belong to the correct subgroup, the cryptographic operation can be manipulated, potentially compromising the security of systems relying on elliptic curve cryptography.

To check if a point P is valid in elliptic curve cryptography, it must be verified that the point lies on the curve and belongs to the correct subgroup. This is especially critical when the point P comes from an untrusted or potentially malicious source, as invalid or specially crafted points can lead to security vulnerabilities. Below is pseudocode demonstrating this process:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_on_curve(P):    
        return False
    if not is_in_subgroup(P):
        return False
    return True

Subgroup membership checks

As mentioned above, when working with any point of unknown origin, it is crucial to verify that it belongs to the correct subgroup, in addition to confirming that the point lies on the correct curve. For bn254, this is only necessary for G2G_2, because G1G_1 is of prime order. A straightforward method to test membership in GG is to multiply a point by the subgroup’s prime order nn; if the result is the identity element, then the point is in the subgroup. However, this method can be costly in practice due to the large size of the prime rr, especially for G2G_2. In 2021, Scott proposed a faster method for subgroup membership testing on BLS12 curves using an easily computable endomorphism, making the process 2×, 4×, and 4× quicker for different groups (this technique is the one specified in EIP-2537 for fast subgroup checks, as detailed in this document). Later, Dai et al. generalized Scott's technique to work for a broader range of curves, including BN curves, reducing the number of operations required for subgroup membership checks. In some cases, the process can be nearly free. Koshelev also introduced a method for non-pairing-friendly curves using the Tate pairing, which was eventually further generalized to pairing-friendly curves.

The Real Slim Shady

As you can see from the timeline at the end of this post, we received a report about a bug affecting Pectra EIP-2537 on Besu, submitted via the Pectra Audit Competition. We're only lightly touching on that issue here, in case the original reporter wants to cover it in more detail. This post focuses specifically on the BN254 EIP-196/EIP-197 vulnerability.

The original reporter observed that in Besu, the is_in_subgroup check was performed before the is_on_curve check. Here's an example of what that might look like:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        if not is_on_curve(P):
            return False  
        return False
    return True

Intrigued by the issue above on the BLS curve, we decided to take a look at the Besu code for the BN curve. To my great surprise, we found something like this:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        return False
    return True

Wait, what? Where is the is_on_curve check? Exactly—there isn't one!!!

Now, to potentially bypass the is_valid_point function, all you'd need to do is provide a point that lies within the correct subgroup but isn't actually on the curve.

But wait—is that even possible?

Well, yes—but only for particular, well-chosen curves. Specifically, if two curves are isomorphic, they share the same group structure, which means you could craft a point from the isomorphic curve that passes subgroup checks but doesn't lie on the intended curve.

Sneaky, right?

Did you say isomorpshism?

Feel free to skip this section if you're not interested in the details—we're about to go a bit deeper into the math.

Let Fq\mathbb{F}_q be a finite field with characteristic different from 2 and 3, meaning q=pfq = p^f for some prime p≥5p \geq 5 and integer f≥1f \geq 1. We consider elliptic curves EE over Fq\mathbb{F}_q given by the short Weierstraß equation:

y2=x3+Ax+By^2 = x^3 + A x + B

where AA and BB are constants satisfying 4A3+27B2≠04A^3 + 27B^2 \neq 0.^[This condition ensures the curve is non-singular; if it were violated, the equation would define a singular point lacking a well-defined tangent, making it impossible to perform meaningful self-addition. In such cases, the object is not technically an elliptic curve.]

Curve Isomorphisms

Two elliptic curves are considered isomorphic^[To exploit the vulnerabilities described here, we really want isomorphic curves, not just isogenous curves.] if they can be related by an affine change of variables. Such transformations preserve the group structure and ensure that point addition remains consistent. It can be shown that the only possible transformations between two curves in short Weierstraß form take the shape:

(x,y)↦(e2x,e3y)(x, y) \mapsto (e^2 x, e^3 y)

for some nonzero e∈Fqe \in \mathbb{F}_q. Applying this transformation to the curve equation results in:

y2=x3+Ae4x+Be6y^2 = x^3 + A e^{4} x + B e^{6}

The jj-invariant of a curve is defined as:

j=17284A34A3+27B2j = 1728 \frac{4A^3}{4A^3 + 27B^2}

Every element of Fq\mathbb{F}_q can be a possible jj-invariant.^[Both BLS and BN curves have a j-invariant equal to 0, which is really special.] When two elliptic curves share the same jj-invariant, they are either isomorphic (in the sense described above) or they are twists of each other.^[We omit the discussion about twists here, as they are not relevant to this case.]

Exploitability

At this point, all that's left is to craft a suitable point on a carefully chosen curve, and voilà—le jeu est fait.

You can try the test vector using this link and enjoy the ride.

Conclusion

In this post, we explored the vulnerability in Besu's implementation of elliptic curve checks. This flaw, if exploited, could allow an attacker to craft a point that passes subgroup membership checks but does not lie on the actual curve. The Besu team has since addressed this issue in release 25.3.0. While the issue was isolated to Besu and did not affect other clients, discrepancies like this raise important concerns for multi-client ecosystems like Ethereum. A mismatch in cryptographic checks between clients can result in divergent behavior—where one client accepts a transaction or block that another rejects. This kind of inconsistency can jeopardize consensus and undermine trust in the network’s uniformity, especially when subtle bugs remain unnoticed across implementations. This incident highlights why rigorous testing and robust security practices are absolutely essential—especially in blockchain systems, where even minor cryptographic missteps can ripple out into major systemic vulnerabilities. Initiatives like the Pectra audit competition play a crucial role in proactively surfacing these issues before they reach production. By encouraging diverse eyes to scrutinize the code, such efforts strengthen the overall resilience of the ecosystem.

Timeline

  • 15-03-2025 – Bug affecting Pectra EIP-2537 on Besu reported via the Pectra Audit Competition.
  • 17-03-2025 – Discovered and reported the EIP-196/EIP-197 issue to the Besu team.
  • 17-03-2025 – Marius Van Der Wijden created a test case and statetest to reproduce the issue.
  • 17-03-2025 – The Besu team promptly acknowledged and fixed the issue.