An expert has discovered a vulnerability in Binance's reserves audit mechanism.
The Proof-of-Reserves (PoR) algorithm used by the cryptocurrency exchange Binance contains a vulnerability related to lending functionality and the accounting of so-called fictitious users. This was stated by Enrico Bottazzi, an expert from the research organization Privacy Scaling Explorations.
The issue involves non-existent accounts with a fractional (positive) position in illiquid assets and a debt (negative) position in highly liquid category products.
The expert detailed a potential attack scenario, wherein a fictitious user takes out a loan in one cryptocurrency using another as collateral.
"In this case, the balance for the collateral coin would be negative, while the net balance of the two coins when converted to dollars should be positive. Considering that
#Binance supports user debts, [there is a possibility] that the exchange could claim solvency even if it is not," Bottazzi explained.
He added that when a user withdraws highly liquid coins, the exchange may not immediately receive them and would be obligated to liquidate illiquid assets.
"However, liquidation may become impossible due to changing market conditions, exposing the user to the risk of being unable to withdraw their funds," the expert concluded.