Hacker’s Perspective: How to Say Hi to CZ with 0.01 BNB

SlowMist
5 min readMar 28, 2025

Authors: 23pds & Thinking
Editor: Sherry

Background

Yesterday, while I was organizing materials related to APT attacks, 23pds (@im23pds) suddenly came over to my desk excitedly:

“Thinking, I’ve found an interesting project that CZ frequently uses. We might be able to say hi to CZ at zero cost.”

We quickly outlined a few potential vulnerabilities:

  • Hijacking CZ’s account on ReachMe
  • Modifying CZ’s settings on ReachMe
  • Sending a message to CZ without paying, bypassing the 1 BNB fee required to message him

About 10 minutes later, we discovered a vulnerability in ReachMe.io that allowed us to say hi to any user at a very low cost. We immediately reached out to the project team and provided details of the vulnerability validation. The team responded swiftly, fixing the issue right away and contacting us for retesting. Kudos to the ReachMe team for their rigorous and responsible approach to security!

https://x.com/SlowMist_Team/status/1905212712956665896

Additionally, the SlowMist Security Team was honored to receive thanks from CZ and the ReachMe project team.

https://x.com/cz_binance/status/1905240886986039437

Discovery Process

ReachMe.io is a BNB Chain-based paid messaging platform designed to connect KOLs (Key Opinion Leaders) with their followers through cryptocurrency payments. Users must pay BNB to send private messages to KOLs, with 90% of the fee going to the recipient and 10% taken as a platform fee. If the KOL does not respond within 5 days, the user gets a 50% refund.

On March 27, 2025, Binance founder CZ updated his X bio to:

“DM: https://reachme.io/@cz_binance (fees go to charity)”

This meant users could direct message CZ on ReachMe, and the fees would be donated to charity.

We noticed that the cost to say hi to CZ was 1 BNB, so we brainstormed several potential workarounds and started testing ways to bypass this 1 BNB requirement to message him.

After some research with 23pds (@im23pds), we discovered that when sending a message to any KOL on ReachMe, the platform generates a message summary via the /api/kol/message API.

This response contains an _id field, which is then included in the on-chain contract function used for sending messages: Function: deposit(string _identifier, address _kolAddress). Here, the _identifier parameter corresponds to the _id value retrieved from the API.

Furthermore, the BNB required to send a message to a KOL is simply the amount attached when calling the contract function: Function: deposit. With this in mind, we crafted a transaction using the _identifier corresponding to the message "Hi CZ" and CZ's address, then sent it to the contract with just 0.01 BNB (the minimum required was only 0.001 BNB).

Since ReachMe did not implement an on-chain verification mechanism for the preset messaging cost set by KOLs (perhaps to allow them to adjust prices more flexibly and save gas fees), it became possible to bypass the 1 BNB restriction through several methods:

  • Modifying the front-end code
  • Altering network response packets
  • Interacting directly with the contract

This vulnerability arose because the backend, when retrieving transactions from the blockchain, failed to verify whether the message price matched the actual BNB amount in the transaction.

In about 10 minutes, we successfully bypassed the 1 BNB messaging requirement and managed to Say Hi to CZ for just 0.01 BNB.

It is also worth noting that there were more advanced exploitation possibilities, such as sending phishing messages to CZ via this method. Given CZ’s significant influence, we decided to discontinue further testing in this direction. As always, stay vigilant and beware of phishing attacks.

Conclusion

Products that combine centralized and decentralized elements often suffer from inconsistencies between on-chain and off-chain security checks. Attackers can exploit these discrepancies by analyzing interactions between the two to bypass certain restrictions.

The SlowMist security team strongly recommends that projects synchronize necessary security checks in both on-chain and off-chain code to prevent potential bypasses. Additionally, hiring professional security auditors can help identify and mitigate security risks.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet