This article conducts an in-depth analysis of some rune “lost” phenomena that have occurred in recent BEVM cross-chain operations, and also proposes security suggestions to avoid such problems from happening again.
Written by Leon, ScaleBit Research Team
TL;DR
This article conducts an in-depth analysis of some rune “lost” phenomena that have occurred in recent BEVM cross-chain operations, and also proposes security suggestions to avoid such problems from happening again.
Recently, we have noticed that some runes are “lost” in BEVM cross-chain operations, which has aroused concern and concerns from the community. This article will conduct an in-depth analysis of this issue, aiming to provide users with a more comprehensive understanding of the issue. At the same time, it will also use this topic to talk about some precautions in the use of inscriptions and runes that have become popular recently.
background
*On December 23, 2023, Beijing time, some BEVM cross-chain trading users discovered that some COOK and PSBTS held in their accounts were transferred to the cross-chain bridge without their knowledge. Subsequently, these users raised questions to the BEVM team. Then BEVM’s official Twitter issued a statement, saying that because this part of the runes is not supported by mainstream wallets such as * Unisat *, when cross-chaining to BEVM, such non-mainstream inscriptions will be treated as ordinary * UTXO *Go to BEVM address. *
*ScaleBit security team noticed this incident and immediately conducted an investigation. After research by the ScaleBit team, it was confirmed that this part of the runes was indeed transferred as an ordinary UTXO in the same cross-chain transaction, rather than “stolen” by BEVM. *
Citing information from the BEVM official website, BEVM is a BTC Layer 2 that uses BTC as Gas and is compatible with EVM. The core goal is to expand the smart contract scenario of Bitcoin and help BTC break through the constraints of the Bitcoin blockchain that is not Turing complete and does not support smart contracts. , allowing BTC to build decentralized applications with BTC as the native Gas on Layer 2 of BEVM.
Recently, with the launch of the BEVM Odyssey event, many users have begun to cross-chain BTC to BEVM for interaction, hoping to seize the opportunity to participate in the BEVM ecosystem in the future. However, during the cross-chain process, some users found that part of the COOK and PSBTS they held were lost. According to the blockchain browser, it was found that this part of the runes had been transferred to the BEVM cross-chain bridge, so the situation mentioned above occurred.
Next, come with us to see what happened.
First, we found some cross-chain transaction information through the BEVM browser (). Through analysis, we found that the receiving address of the cross-chain bridge is:
bc1p43kqxnf7yxcz5gacmqu98cr2r5gndtauzrwpypdzmsgp7n3lssgs5wruvy。
Subsequently, we checked on Rune Alpha (a universal browser and service that supports RUNES protocols such as COOK and PSBTS). Its address holds a large number of various runes including more than 110,000 COOKs and more than 280,000 PSBTS.
We immediately conducted research and analysis on this part of rune-related transactions.
Let’s take one of these transactions as an example:
The transaction content is shown in the figure:
We can see that the transaction has two inputs, 0.00000546 BTC (including 1000 COOK) and 0.02169031 BTC, and the output is 0.02 BTC (including 1000 COOK) and 0.00148377 BTC.
For comparison, we found a transaction that was not a COOK transaction with a cross-chain bridge transaction. The output is as follows:
It can be seen that both input and output contain a UTXO of 0.00000546 BTC.
Why is this so? Here we need to know some relevant knowledge.
UTXO
First, let’s understand what UTXO is.
UTXO, the full name is Unspent Transaction Output, the literal translation is Unspent Transaction Output, this is the core knowledge point of Bitcoin. In Bitcoin transactions, each transaction has inputs and outputs. The money someone else pays you is the “transaction input”, and the money you receive is the “transaction output”.
The core design idea of UTXO is stateless. It records transaction events but not the final status. That is to say, only change events are recorded, and users need to calculate their own balances based on historical records. Therefore, the transaction model of Bitcoin is different from the bank account we usually use. It does not have an account. Bitcoin only has UTXO. A UTXO can be imagined as a “coin” of any amount.
UTXO input and change
UTXO is just like a coin and cannot be broken up and used. So how do you collect the input amount during the transaction and how do you get change?
For example, Xiao Ming transfers 1 BTC to Xiao Gang. The whole process is like this. Xiao Ming needs to collect enough inputs. For example, in the previous transaction corresponding to Xiao Ming’s address, he found a UTXO with a face value of 0.9, which is not enough for 1 BTC. Fortunately, multiple inputs are allowed in the transaction, so Xiao Ming Another UTXO with a face value of 0.2 was found, so there will be two inputs in this transfer transaction. There will also be two outputs at the same time, one pointing to Xiaogang’s address, with a face value of 1 BTC. The other one points to Xiao Ming’s address, with a face value of about 0.1 BTC. This output is the change.
In the process of Bitcoin transfer, there is no fixed algorithm for inputting and it depends on the implementation of the wallet.
Bitcoin inscriptions and runes
Secondly, we need to understand what inscriptions and runes are. Bitcoin inscriptions and runes are two important concepts in the Bitcoin ecosystem.
**The main representative of Bitcoin Inscription is the Ordinals protocol. **Ordinals was born in December 2022. The content is completely on the chain and developed by Casey Rodarmor. The protocol utilizes the Sat numbering system. Ordinals track each satoshi in transactions by giving them a serial number. At the same time, users can attach additional data (images, videos, text, etc.) to the Bitcoin blockchain through Ordinals, making each Each Satoshi is unique and thus has the nature of NFT. BRC-20 was created based on this protocol.
**Runes Protocol, also known as Runes Protocol. **With the popularity of BRC-20, transactions of BRC-20 related tokens account for the majority of the Ordinals protocol. On September 26, 2023, Casey Rodarmor redeveloped a protocol called Runes (which is what everyone now refers to as the Runes protocol) as a replacement for BRC-20. This protocol is a simple FT (Fungible Token, fungible token) protocol based on UTXO (Unspent Transaction Output) that enables Bitcoin users to have a good experience. The main representatives of runes are COOK and PSBTS we mentioned.
The carriers of Bitcoin inscriptions and runes are both UTXO. A key difference between Bitcoin inscriptions (Inions) and runes (Rune) is that Inscriptions are engraved in the Segregated Witness data, while Runes are engraved in In OP_RETURN. The data size that OP_RETURN can store is very limited, but it is more than enough for issuing coins. This is not a new technology.
For users to cast inscriptions or runes, they essentially send Bitcoins that match the amount to the protocol, and the protocol returns you a UTXO with inscriptions or runes, usually a UTXO of 0.00000546 BTC. Let’s talk about why it is 0.00000546. This is the minimum transaction amount set by Bitcoin.
The transfer inscription is also because these wallets recognize the special format of these UTXOs. The wallets use these UTXOs as input through the corresponding protocols and pay additional handling fees to transfer them to the other party.
Why did the user lose the “rune”?
For users who lose runes, because they are still UTXO in nature, when users use UniSat to perform cross-chain operations on Bitcoin, UniSat does not recognize this part of UTXO containing runes, and treats it as an ordinary UTXO, and inputs it together. Sent to the cross-chain bridge.
In fact, not only cross-chain operations, users may also lose runes when performing other Bitcoin transfer operations in wallets that do not support runes. On December 7, a user lost 15,000 COOKs during a BRC-20 swap operation on Unisat.
Another interesting thing is that when casting runes on Runes Alpha, it is possible to transfer the user’s inscriptions as Gas.
Why is no one reporting missing inscriptions?
Through BEVM’s official documentation, we found that BEVM cross-chain supports inscription cross-chain. Users only need to use BSwap to cross-link their inscriptions to BEVM. The wallet used across chains is the UniSat wallet. This is a Chrome plug-in wallet for the BTC ecosystem, helping users store, mint and transfer BRC-20 tokens. It can identify the user’s inscription, thus avoiding the merging of this part of UTXO. It will only be transferred when the user actively trades the inscription.
Since Unisat does not currently support the rune protocol, this is why users will “lost” runes across chains but not inscriptions. A similar situation will occur if you switch to other wallets that do not support runes.
Can the runes still be retrieved?
Now that the runes have been moved to the cross-chain bridge, can users still get that part of the runes back?
We consulted the BEVM white paper. BEVM’s asset cross-chain solution is built based on Bitcoin’s Taproot technology. It is a POS network composed of Schnorr signature + Mast contract + 1000 BTC light node to achieve the decentralization of assets. Cross-chain and management, BTC-BEVM’s two-way cross-chain is completely managed based on the node consensus on the chain, achieving complete coding and trustlessness instead of relying on multi-signature or manual management. This makes BTC and Bitcoin The cross-chain security of assets is as decentralized and secure as BFT POS. Therefore, BEVM officials cannot initiate a separate transfer transaction to withdraw the user’s “rune assets”.
Since BEVM does not support the rune protocol, the probability of this part of runes being transferred out is completely random. When the custody contract executes the transaction, these “rune assets” may be transferred out as ordinary UTXO, but the entire process It is completely random and not subject to human control. If it is to be forcibly withdrawn, the consensus of the entire BEVM chain must be completely changed, which will undoubtedly lead to a hard fork of BEVM.
Overall, this incident was due to multiple reasons:
- The wallet used for cross-chain operations does not support runes.
- BEVM is a distributed and decentralized managed asset that cannot be withdrawn manually.
- The user is not familiar with the rune protocol.
How to avoid this kind of problem from happening again?
For ordinary users, how to avoid this type of problem from happening again? When doing interactive operations, we recommend that users do the following:
- **Make sure the wallet you use supports Inscription or the Inscription protocol. **
- **Make sure that the protocol you want to interact with (such as a cross-chain bridge) supports the Inscription Rune protocol. **
- **Before using the protocol, first study whether there are any problems during user operation. **
- **Use multiple wallets to manage different assets. **
At the same time, developers are reminded that when developing and designing, they need to fully consider and prepare to solve possible protocol incompatibility issues from the code level. If not, do research before going online and give clear reminders to avoid unnecessary doubts and troubles.
Summarize
The emergence of inscriptions and runes is an important milestone in the continuous exploration and innovation of the Bitcoin ecosystem. It has greatly promoted everyone’s attention and enthusiasm for participation in the Bitcoin ecosystem, and has also played a great role in the future development of the Bitcoin ecosystem. significance. **However, for now, inscriptions and runes are still in a relatively early stage. We hope that everyone must pay attention to the related risks while participating and avoid being blind. **
ScaleBit is a leading blockchain security team in the Web3 field, located in Silicon Valley, Singapore, Hong Kong, Taiwan and other places. We have provided blockchain security solutions to 200+ organizations and projects in the global Web3 field, audited a total of 180,000+ lines of code, and protected user assets in excess of 8 billion+ Dollar. **Make Security Accessible for All! If you have any security audit needs, please feel free to contact us. We will customize detailed, comprehensive, and professional security solutions for you to protect you and the Web3 field! **
References
[1]
[2]
[3]
