CVE-2025-30147 - The curious case of subgroup check on Besu

Thanks to Marius Van Der Wijden for creating the trial lawsuit and statetest, and for helping the Besu squad corroborate the issue. Also, kudos to the Besu team, the EF information team, and Kevaundray Wedderburn. Additionally, acknowledgment to Justin Traglia, Marius Van Der Wijden, Benedict Wagner, and Kevaundray Wedderburn for proofreading. If you person immoderate different questions/comments, find maine connected twitter astatine https://twitter.com/asanso

tl;dr: Besu Ethereum execution client mentation 25.2.2 suffered from a consensus issue related to the EIP-196/EIP-197 precompiled declaration handling for the elliptic curve alt_bn128 (a.k.a. bn254). The contented was fixed successful merchandise 25.3.0. Here is the afloat CVE report.

N.B.: Part of this station requires immoderate cognition astir elliptic curves (cryptography).

Introduction

The bn254 curve (also known arsenic alt_bn128) is an elliptic curve utilized successful Ethereum for cryptographic operations. It supports operations specified arsenic elliptic curve cryptography, making it important for assorted Ethereum features. Prior to EIP-2537 and the caller Pectra release, bn254 was the lone pairing curve supported by the Ethereum Virtual Machine (EVM). EIP-196 and EIP-197 specify precompiled contracts for businesslike computation connected this curve. For much details astir bn254, you tin work here.

A important information vulnerability successful elliptic curve cryptography is the invalid curve attack, archetypal introduced successful the insubstantial “Differential responsibility attacks connected elliptic curve cryptosystems”. This onslaught targets the usage of points that bash not prevarication connected the close elliptic curve, starring to imaginable information issues successful cryptographic protocols. For non-prime bid curves (like those appearing successful pairing-based cryptography and successful G2G_2G2​ for bn254), it is particularly important that the constituent is successful the close subgroup. If the constituent does not beryllium to the close subgroup, the cryptographic cognition tin beryllium manipulated, perchance compromising the information of systems relying connected elliptic curve cryptography.

To cheque if a constituent P is valid successful elliptic curve cryptography, it indispensable beryllium verified that the constituent lies connected the curve and belongs to the close subgroup. This is particularly captious erstwhile the constituent P comes from an untrusted oregon perchance malicious source, arsenic invalid oregon specially crafted points tin pb to information vulnerabilities. Below is pseudocode demonstrating this process:

Subgroup rank checks

As mentioned above, erstwhile moving with immoderate constituent of chartless origin, it is important to verify that it belongs to the close subgroup, successful summation to confirming that the constituent lies connected the close curve. For bn254, this is lone indispensable for G2G_2G2​, due to the fact that G1G_1G1​ is of premier order. A straightforward method to trial rank successful GGG is to multiply a constituent by rrr, wherever rrr is the cofactor of the curve, which is the ratio betwixt the bid of the curve and the bid of the basal point.

However, this method tin beryllium costly successful signifier owed to the ample size of the premier rrr, particularly for G2G_2G2​. In 2021, Scott proposed a faster method for subgroup rank investigating connected BLS12 curves utilizing an easy computable endomorphism, making the process 2×, 4×, and 4× quicker for antithetic groups (this method is the 1 specified successful EIP-2537 for accelerated subgroup checks, arsenic elaborate successful this document). Later, Dai et al. generalized Scott's technique to enactment for a broader scope of curves, including BN curves, reducing the fig of operations required for subgroup rank checks. In immoderate cases, the process tin beryllium astir free. Koshelev besides introduced a method for non-pairing-friendly curves using the Tate pairing, which was yet further generalized to pairing-friendly curves.

The Real Slim Shady

As you tin spot from the timeline astatine the extremity of this post, we received a study astir a bug affecting Pectra EIP-2537 connected Besu, submitted via the Pectra Audit Competition. We're lone lightly touching connected that contented here, successful lawsuit the archetypal newsman wants to screen it successful much detail. This station focuses specifically connected the BN254 EIP-196/EIP-197 vulnerability.

The archetypal newsman observed that successful Besu, the is_in_subgroup cheque was performed earlier the is_on_curve check. Here's an illustration of what that mightiness look like:

Intrigued by the contented supra connected the BLS curve, we decided to instrumentality a look astatine the Besu codification for the BN curve. To my large surprise, we recovered thing like this:

Wait, what? Where is the is_on_curve check? Exactly—there isn't one!!!

Now, to perchance bypass the is_valid_point function, each you'd request to bash is supply a constituent that lies wrong the close subgroup but isn't really connected the curve.

But wait—is that adjacent possible?

Well, yes—but lone for particular, well-chosen curves. Specifically, if 2 curves are isomorphic, they stock the aforesaid radical structure, which means you could trade a constituent from the isomorphic curve that passes subgroup checks but doesn't prevarication connected the intended curve.

Sneaky, right?

Did you accidental isomorpshism?

Feel escaped to skip this conception if you're not funny successful the details—we're astir to spell a spot deeper into the math.

Let Fq\mathbb{F}_qFq​ beryllium a finite tract with diagnostic antithetic from 2 and 3, meaning q=pfq = p^fq=pf for immoderate premier p≥5p \geq 5p≥5 and integer f≥1f \geq 1f≥1. We see elliptic curves EEE implicit Fq\mathbb{F}_qFq​ fixed by the abbreviated Weierstraß equation:

\begin{equation}\tag{1} y^2 = x^3 + A x + B
\end{equation}

where AAA and BBB are constants satisfying 4A3+27B2≠04A^3 + 27B^2 \neq 04A3+27B2=0.^[This information ensures the curve is non-singular; if it were violated, the equation would specify a singular constituent lacking a well-defined tangent, making it intolerable to execute meaningful self-addition. In specified cases, the entity is not technically an elliptic curve.]

Curve Isomorphisms

Two elliptic curves are considered isomorphic^[To exploit the vulnerabilities described here, we truly privation isomorphic curves, not conscionable isogenous curves.] if they tin beryllium related by an affine alteration of variables. Such transformations sphere the radical operation and guarantee that constituent summation remains consistent. It tin beryllium shown that the lone imaginable transformations betwixt 2 curves successful abbreviated Weierstraß signifier instrumentality the shape:

\begin{equation}\tag{2} (x, y) \mapsto (e^2 x, e^3 y) \end{equation}

for immoderate nonzero e∈Fqe \in \mathbb{F}_qe∈Fq​. Applying this translation to the curve equation results in:

\begin{equation}\tag{3} y^2 = x^3 + A e^{4} x + B e^{6} \end{equation}

The jjj-invariant of a curve is defined as:
\begin{equation}\tag{4} j = 1728 \frac{4A^3}{4A^3 + 27B^2} \end{equation}

Every constituent of Fq\mathbb{F}_qFq​ tin beryllium a imaginable jjj-invariant.^[Both BLS and BN curves person a j-invariant adjacent to 0, which is really special.] When 2 elliptic curves stock the aforesaid jjj-invariant, they are either isomorphic (in the consciousness described above) oregon they are twists of each other.^[We omit the treatment astir twists here, arsenic they are not applicable to this case.]

Exploitability

At this point, each that's near is to trade a suitable constituent connected a cautiously chosen curve, and voilà—le jeu est fait.

You tin effort the trial vector utilizing this link and bask the ride.

Conclusion

In this post, we explored the vulnerability successful Besu's implementation of elliptic curve checks. This flaw, if exploited, could let an attacker to trade a constituent that passes subgroup rank checks but does not prevarication connected the existent curve. The Besu squad has since addressed this contented successful merchandise 25.3.0. While the contented was isolated to Besu and did not impact different clients, discrepancies similar this rise important concerns for multi-client ecosystems similar Ethereum. A mismatch successful cryptographic checks betwixt clients tin effect successful divergent behavior—where 1 lawsuit accepts a transaction oregon artifact that different rejects. This benignant of inconsistency tin jeopardize statement and undermine spot successful the network’s uniformity, particularly erstwhile subtle bugs stay unnoticed crossed implementations. This incidental highlights wherefore rigorous investigating and robust information practices are perfectly essential—especially successful blockchain systems, wherever adjacent insignificant cryptographic missteps tin ripple retired into large systemic vulnerabilities. Initiatives similar the Pectra audit contention play a important relation successful proactively surfacing these issues earlier they scope production. By encouraging divers eyes to scrutinize the code, specified efforts fortify the wide resilience of the ecosystem.

Timeline

• 15-03-2025 – Bug affecting Pectra EIP-2537 connected Besu reported via the Pectra Audit Competition.
• 17-03-2025 – Discovered and reported the EIP-196/EIP-197 contented to the Besu team.
• 17-03-2025 – Marius Van Der Wijden created a trial lawsuit and statetest to reproduce the issue.
• 17-03-2025 – The Besu squad promptly acknowledged and fixed the issue.