CVE-2025-30147- The strange state of the sub-group is achieved on Besu

Thanks to Marius Van der and you find to create a test issue and the second, and to help the Besu team confirm the problem. Also, glory for Besu, EF security team, and Kevaundray Wedderburn. In addition, thanks to Justin Trajlia, Marius van der and find, Beneedikt Wagner, and Kevaundray Wedderburn to correct it. If you have any other questions/comments, look for me on Twitter on

Assanso

TL; D: Besu ethereum implementation customer Edition 25.2.2 suffered from a The issue of consensus Concerned with EIP-196/ /EIP-197 Treating pre -contracts for the elliptical curve

Alt_bn128 (Nickname BN254). The problem has been fixed in the version 25.3.0.
here It is a full CVE report.

NotePart of this post requires some knowledge about elliptical curves (encryption).

introduction

the Bn254 Curve (also known as as Alt_bn128It is an Ellille curve used in Ethereum for encryption operations. It supports processes such as elliptical curve encoding, making it decisive for various ETHEREUM features. Before y to you EIP-2537 And the last Pectra version, Bn254 The only conjugation curve supported by the ETHEREUM (EVM) virtual system (EVM). EIP-196 and EIP-197 Determine the prior contracts for the effective account on this curve. For more details about Bn254You can read here.

There is a large security vulnerability to encrypt the elliptical curve is An inaccurate curve attackIt was first presented in the paper “Confidential rift attacks on encrypted curved systems. This attack aims to use points that do not fall on the correct elliptical curve, which leads to possible security problems in the encryption protocols. For non -berth demands (such as those that appear in conjugation -based encryption and in $G_2$ to Bn254It is especially important that the point In the correct sub -group. If this point does not belong to the correct sub -group, the encryption process can be addressed, which may harm the security of systems that depend on the elliptical curved encryption.

To check if it is a point P Saleh in the encryption of the elliptical curve, it must be verified that the point is on the curve and belongs to the correct sub -group. This is especially important when the point is P It comes from an unreliable or harmful source, as the points can lead unique or specially made to security weaknesses. Below is a false symbol that shows this process:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_on_curve(P):    
        return False
    if not is_in_subgroup(P):
        return False
    return True

Sub -group membership checks

As mentioned above, when working with any point out of an unknown origin, it is important to verify that it belongs to the correct sub -group, in addition to emphasizing that the point lies in the correct curve. to Bn254This is only necessary for $G_2$because $G_1$ It is a major arrangement. A direct way to test the membership in $Z$ It is a point of point $P$where $P$ he Assistant worker From the curve, the ratio between the arrangement of the curve and the arrangement of the basic point.

However, this method can be expensive in practice due to the large size of the president $P$Especially for $G_2$. In 2021, Scott suggested A faster way to test the membership group membership on BLS12 curves with easily calculated EndometriumMake the process 2 x, 4 x, and 4 x faster for different groups (This technique is that specified in EIP-2537 To check the fast sub -group, as detailed in This document). Later, Dai and others. General Scott Technology To work on a wider set of curves, including BN curves, which reduces the number of operations needed for sub -group membership examinations. In some cases, the process can be almost free. Koshelev also provided a way for unbalanced curves Using TATE paceWhich was eventually further than that Decisive for friendly curves.

The true Shadi slim

As you can see from the schedule at the end of this post, we received a report on an error that affects PECTRA EIP-2537 On besu, presented via Review review competition. We just touch this problem here, if the original correspondent desires to cover it in more detail. This post specifically focuses on bn254 EIP-196/ /EIP-197 They are.

The original reporter noticed that in Besu, Is_in_subgroup The verification was made before Is_on_curve Check. Here is an example of what it might seem:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        if not is_on_curve(P):
            return False  
        return False
    return True

The issue is fascinated above on the BLS curve, we decided to take a look at the BSU icon for the BN curve. For my great amazement, we found something Likewise:

# Pseudocode for checking if point P is valid
def is_valid_point(P):
    if not is_in_subgroup(P):    
        return False
    return True

Wait, what? where Is_on_curve Check? exactly-There is no one !!!

Now, to overcome Is_valid_point Job, all you have to do is provide a point This lies in the correct sub -group, but not actually on the curve.

But wait – is this possible?

Well, yes-but only for the well chosen curves. Specifically, if there are two curves IsomorphicThey share the same group structure, which means that you can formulate a point of the identical curve that passes the sub -group checks but does not fall on the intended curve.

Cast, right?

Have you said Isomorpshism?

Do not hesitate to overcome this section if you are not interested in detail – we are about to go deep into mathematics.

Leave $\ mathbb {f} _q$ Be a limited field with different properties from 2 and 3, meaning $Q = p^f$ For some prime $P \ geq 5$ And Integer $F \ geq 1$. We consider elliptical curves $E$ more $\ mathbb {f} _q$ Served in the short WeesSstraß equation:

where $A$ and $for$ They are satisfactory constants $4A^3 + 27B^2 \ NeQ 0$.^[This condition ensures the curve is non-singular; if it were violated, the equation would define a singular point lacking a well-defined tangent, making it impossible to perform meaningful self-addition. In such cases, the object is not technically an elliptic curve.]

The curve of symmetries

It is considered two curves Isomorphic^[To exploit the vulnerabilities described here, we really want isomorphic curves, not just isogenous curves.] If it is possible to be associated with changing my Afini to the variables. These transformations maintain the group’s structure and make sure that adding the point is still consistent. It can be proven that the only possible transformations between two curves in the shape of the short Weesstraß take the shape:

For some non -zero $E \ in \ mathbb {f} _q$. The application of this shift to the curve equation leads to:

the $J$-The two The curve is defined as follows:

Each element $\ mathbb {f} _q$ It can be possible $J$-Fasting.^[Both BLS and BN curves have a j-invariant equal to 0, which is really special.] When two curveds, Ililjian participates in the same thing $J$-Lohan, they are either Isomorphic (In the sense described above) or they are Transformations From each other.^[We omit the discussion about twists here, as they are not relevant to this case.]

Exploitation

At this stage, all that remains is the formulation of a suitable point on a carefully chosen curve, and Woela –If Geo.

You can try the test This link Enjoy the trip.

conclusion

In this post, we explored the weakness of Besu’s implementation of the tests of the elliptical curve. This disadvantage, if exploited, can allow the attacker to formulate the leveling point of passing the membership of the sub -group, but it does not fall on the actual curve. The Besu team has since handled this problem in version 25.3.0. Although the issue was isolated by Besu and did not affect other customers, the contradictions such as important concerns of multi -lifting ecosystems such as Ethereum. The inconsistency in the verification of encryption between customers can lead to a contrasting behavior – as one of the customer accepts a treatment or ban rejected by the other. This type of contradiction can put the consensus at risk and undermine confidence in the unification of the network, especially when accurate errors remain without anyone noticing them through applications. This incident highlights the reason why strict tests and strong security practices are very necessary – especially in Blockchain, as they can be represented in simple encryption lines to the main weaknesses. Initiatives such as the Pectra Audit competition play a decisive role in depicting these problems prematurely before reaching production. By encouraging various eyes to scrutinize the code, these efforts enhance the comprehensive flexibility of the ecological system.

Timeline

• 15-03-2025- A cause that affects Pectra EIP-2537 on BESU. Review review competition.
• 17-03-2025-Discover and reported about the EIP-196/EIP-197 version of the Besu team.
• 17-03-2025-Marius van der was established and found a test and statest to reproduce the problem.
• 17-03-2025-Besu team immediately admitted Stabilized The case.