Author: 23pds & Thinking

Yesterday, when I was still sorting out the material related to APT attacks, Shan Ge (@im23pds) suddenly came to my station excitedly: "Thinking, I found an interesting project. CZ is used at high frequency, so we may be able to cost 0 and CZ Say Hi." So we quickly formulated several possible vulnerabilities:

Hidden CZ's account on ReachMe;

Changing CZ's account on ReachMe ;

No money to send messages to CZ, bypassing the limit that sending messages to him will cost 1 BNB.

About 10 minutes later, we discovered a vulnerability that can be used at low cost and at any user Say Hi, so we contacted the project team as soon as possible and provided details of vulnerability verification. The project team also quickly fixed the vulnerability as soon as possible and contacted us for retesting. Like the ReachMe team's attitude towards safety issues seriously and rigorously!

(https://x.com/SlowMist_Team/status/1905212712956665896)

In addition, the Slow Mist Safety Team is honored to have received the recognition from the CZ and ReachMe project teams.

(https://x.com/cz_binance/status/1905240886986039437)

ReachMe.io is a paid chat platform based on BNB Chain, aiming to connect KOLs (key opinion leaders) with fans through a cryptocurrency payment mechanism. Users need to pay BNB to send private messages to KOLs, and KOLs can receive a 90% fee (The platform will be 10% commission); if the KOL does not reply within 5 days, the user can receive a 50% refund.

On March 27, 2025, Binance founder CZ changed his X account profile to: "DM: https://reachme.io/@cz_binance (fees go to charity)", that is, "DM me on ReachMe, the fees will be used for charity."

We can see that the cost of CZ Say Hi is 1 BNB, so we conceived some solutions and tried it to see how to bypass the limit of 1 BNB to CZ Say Hi. After a while of research with Shan Ge, we found that when ReachMe sends a message to any KOL, it will generate a summary of the message through the "/api/kol/message" interface, which contains the "_id" field. This field is attached to the on-chain contract Function: deposit(string _identifier,address _kolAddress) when sending a message, and the corresponding _identifier field is used.

The BNB that comes with the message sent to KOL is actually the number of BNBs attached to the contract Function: deposit. So we constructed a transaction to send the "_identifier" corresponding to the message of "Hi CZ" and the address of the CZ, and accompany 0.01 BNB (the minimum required is 0.001 BNB) to the contract.

Because ReachMe did not place the preset message sending cost of KOL in the contract for detection at the beginning of its design (perhaps to facilitate KOLs to better adjust the price of messages at any time and save gas fees?), it can bypass the 1 BNB limit by modifying the front-end code, modifying the network response package, or directly interacting with the contract. This is because the server also misses the check of the message price and the number of BNBs transactions on the chain when retrieving transactions on the chain.

So we took about 10 minutes to successfully bypass the rule that it would cost 1 BNB to talk to CZ, and only cost 0.01 BNB to get to CZ Say Hi.

In addition, it is worth noting that there are actually more deeper uses, such as: sending interesting messages to CZ and conducting spear phishing? Given that CZ has a great influence, I gave up this part of the test later. Everyone should pay more attention to safety and be careful about phishing.

This type of product design that combines centralization and decentralization often leads to inconsistent security checks on-chain and off-chain. Therefore, attackers can bypass certain inspection restrictions by analyzing the interaction process on-chain and off-chain. The Slow Fog Security Team recommends that project parties synchronize necessary security check items in the on-chain and off-chain codes as much as possible to avoid the possibility of being bypassed. At the same time, it is recommended to hire a professional security team to conduct security audits to discover potential security risks and prevent them.