Authors: 23pds & Thinking
Edited by: Sherry
Background
Yesterday, while I was sorting materials related to the APT attack, Shange (@im23pds) suddenly excitedly came to my workstation: 'Thinking, I found an interesting project that CZ frequently uses, and we might be able to say hi to CZ at zero cost.' So we quickly drafted several potential vulnerability points:
Hijack CZ's account on ReachMe;
Change CZ's settings on ReachMe;
Send messages to CZ without spending money, bypassing the limitation of having to spend 1 BNB to message him.
About 10 minutes later, we discovered a vulnerability that allows low-cost messaging with any user on ReachMe.io, so we immediately contacted the project team and provided details for vulnerability verification. The project team also quickly fixed the vulnerability and contacted us for retesting. Kudos to the ReachMe team for their serious and rigorous approach to security issues!
Additionally, the SlowMist security team is honored to receive thanks from CZ and the ReachMe project team.
Discovery Process
ReachMe.io is a paid chat platform based on BNB Chain, aimed at connecting KOLs (Key Opinion Leaders) with fans through a cryptocurrency payment mechanism. Users send private messages to KOLs for a fee in BNB, with KOLs receiving 90% of the fee (platform takes a 10% cut); if KOLs do not respond within 5 days, users can get a 50% refund.
On March 27, 2025, Binance founder CZ changed his X account bio to: 'DM: https://reachme.io/@cz_binance (fees go to charity)', meaning 'DM me on ReachMe, and the fees will go to charity.'
We can see that the cost of saying hi to CZ is 1 BNB, so we envisioned some solutions and tried to see how to bypass the 1 BNB limit to say hi to CZ.
After some research with Shange, we found that when sending a message to any KOL, ReachMe generates a summary message through the '/api/kol/message' interface, which includes the '_id' field. This field is included in the contract function: deposit(string identifier,address kolAddress) when sending messages, corresponding to the '_identifier' field.
And the BNB sent along with the message to KOL is actually the amount of BNB included in the contract Function: deposit with the message, so we constructed a transaction to send the message 'Hi CZ' with the corresponding '_identifier' and CZ's address, along with 0.01 BNB (minimum only requires 0.001 BNB) to the contract.
Since ReachMe did not initially have the preset message cost for KOL in the contract for detection (perhaps to allow KOLs to better adjust message prices at any time and save on gas fees?), it is possible to bypass the 1 BNB limit by modifying the front-end code, altering network response packets, or directly interacting with the contract. This is because the server also overlooked checking the message price against the BNB amount in the on-chain transaction.
So we spent about 10 minutes and successfully bypassed the rule that requires 1 BNB to chat with CZ, allowing us to say hi to CZ for just 0.01 BNB.
Additionally, it is worth noting that there could be even deeper exploitation, such as sending CZ interesting messages for phishing? Given CZ's significant influence, we decided to abandon this part of the testing; everyone should also pay attention to safety and be vigilant against phishing.
Summary
This type of product design that combines centralized and decentralized elements often results in inconsistent security checks between on-chain and off-chain processes. Therefore, attackers can bypass certain checks by analyzing the interaction flows on and off the chain. The SlowMist security team recommends that project teams synchronize necessary security checks between on-chain and off-chain code as much as possible to avoid potential bypassing. Additionally, it is recommended to hire professional security teams for security audits to identify and mitigate potential security risks.