# Binance $wBETH Centralization Risk Analysis Report ## Abstract Recently, Binance's Earn team at Curve.fi launched a proposal to add $wBETH to the gauge controller, a move that will enable the distribution of gauge weights, which its users can use to mint $CRV. The Supremacy research team is committed to exploring cutting-edge projects and building a secure and stable ecosystem. Considering the importance of the ecosystem security of Curve.fi and Binance, we decided to perform a centralized risk assessment of $wBETH. **This report is not intended to be used as any financial advice.** ## Introduction Wrapped BETH ("WBETH") is a special kind of BETH, and is a token created by depositing BETH into the BETH wrapper. Each WBETH represents 1 BETH (1:1 to staked ETH) plus all of its accrued ETH2.0 staking rewards starting from when WBETH's conversion rate was initialized at 1:1 on 27 Apr 2023 00:00 (UTC+0). In other words, WBETH is reward-bearing in nature. It reflects ETH2.0 staking rewards not by growing in quantity, but by growing in value in relation to BETH. Over time, the price of WBETH will likely be worth more BETH. ## About Us [Supremacy](https://Supremacy.Team) is a leading blockchain security agency, composed of industry hackers and academic researchers, providing clients with a one-stop security solution for the whole life cycle with our technology precipitation and innovative research. We are reachable at Telegram (https://t.me/SupremacyInc), Twitter (https://twitter.com/Supremacy_CA), or Email ([contact@supremacy.email](mailto:contact@supremacy.email)). ## Risk Analysis On this basis, we will analyze the ultimate harm caused by centralization risk: Direct transfer of assets. 1. FiatTokenProxy `0xa2E3356610840701BDf5611a53974510Ae27E2e1` This address has been used on `Ethereum`, `BNB Chain`. This is a proxy contract that is used to forward messages to logic contracts. 2. WrapTokenV1(ETH/BSC) `0x523177Fbe442aFB70b401d06bB11EC7b8684EceE` This address has been used on `Ethereum`, `BNB Chain`. This is the logic contract of the $wBETH wrapper section for processing messages. --- At this stage, only one `WrapTokenV1(ETH/BSC)` contract is used to deposit $ETH as a method of mint $wBETH. Based on the native token characteristics of ETH, we thought about how it differs in Ethereum and other EVM Chains (i.e. BNB Chain). > Ethereum: ETH = Native token ![](https://i.imgur.com/HCvyiTg.png) At the contract level on the Ethereum platform, any asset transfer involving ETH, either to or from, is bound to involve calls to `.transfer`, `.send`, `.call`. In this case, it uses `.call` to transfer the $ETH to the `ethReceiver` account. > BNB Chain: ERC20 token // 0x2170Ed0880ac9A755fd29B2688956BD959F933F8 ![](https://i.imgur.com/vzpOK3k.png) In the BNB Chain platform, it uses the `safe` class function to transfer ETH assets based on ERC20. Based on this discrepancy, we cautiously checked all the functions involved in transferring out assets and unexpectedly found a function in the `WrapTokenV1BSC` contract of the BNB Chain platform that can transfer out ETH assets deposited by all users. ```solidity=54 /** * @notice Rescue ERC20 tokens locked up in this contract. * @param tokenContract ERC20 token contract address * @param to Recipient address * @param amount Amount to withdraw */ function rescueERC20( IERC20 tokenContract, address to, uint256 amount ) external onlyRescuer { tokenContract.safeTransfer(to, amount); } ``` <center> Rescuable.sol </center> <br> In general, the `rescue()` function is used to release token assets that have been transferred to the contract for unintended behavior. However, in that implementation, the developers did not think about the potential centralization risk that the feature could lead to due to differences in asset types. Calling this function triggers a preemptive access control mechanism, `onlyRescuer`, which checks if the caller is a `rescuer` privileged account that can be changed at will by the owner of the contract by calling `updateRescuer`. ```solidity=68 /** * @notice Assign the rescuer role to a given address. * @param newRescuer New rescuer's address */ function updateRescuer(address newRescuer) external onlyOwner { require( newRescuer != address(0), "Rescuable: new rescuer is the zero address" ); _rescuer = newRescuer; emit RescuerChanged(newRescuer); } ``` <center> Rescuable.sol </center> <br> ![](https://i.imgur.com/vSdYJaW.png) We checked the owner's account and confirmed that it was a single-signature EOA account, which means that a leak of the private key or internal mischief could lead to very serious consequences. Based on this potential risk, we contacted Binance's earn team through a friend and they confirmed that the account's private key was controlled by the finance department and had a certain level of security, so the risk could be mitigated. In the end, we found that Binance had commissioned Peckshield to perform a security audit of its wBETH, and in their report they did not mention any potential risks regarding the `rescueERC20()` function. https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-wBETH-v1.0.pdf ## Recommendation However, there is always a corresponding risk of centralization at the code level, and we recommend adding a check for ETH Address to `rescueERC20()` to ensure that assets other than those expected cannot be transferred through this function. ```diff=54 /** * @notice Rescue ERC20 tokens locked up in this contract. * @param tokenContract ERC20 token contract address * @param to Recipient address * @param amount Amount to withdraw */ function rescueERC20( IERC20 tokenContract, address to, uint256 amount ) external onlyRescuer { + require(tokenContract != _ETH_ADDRESS); tokenContract.safeTransfer(to, amount); } ``` <center> Rescuable.sol </center> <br> ## Disclaimer Supremacy reports do not provide any indication of the technologies proprietors, business, business model or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Supremacy has the right to distribute the Report through other means, including via Supremacy publications and other distributions. Supremacy makes the reports available to parties other than the Clients (i.e., “third parties”).
Last changed by  
Supremacy
publications
347

Read more

Litra Finance Security Audit

Copyright © 2023 by Supremacy. All rights reserved. Contents Introduction Given the opportunity to review the design document and related source code of the Litra protocol, we outline in the report our systematic approach to evaluate potential security issues in the smart contract(s) implementation, and provide additional suggestions or recommendations for improvement. Our results show that the given version of smart contracts can be further improved due to the presence of several issues related to either security or performance. This document outlines our audit results. About Client Litra Finance is an NFT liquidity protocol that wraps NFT into fungible ERC20 tokens to improve trading accuracy and provide more basic liquidity targets. Combining an automated centralized liquidity AMM with a customized curve provides traders with the ultimate trading experience with low slippage, while reducing impermanent losses for liquidity providers. The introduction of the veToken model encourages liquidity providers to actively and consistently provide liquidity for greater returns, which also aligns the interests of all parties.

4/21/2023
Read more from Supremacy
Published on HackMD