Hacker’s Perspective: How to Say Hi to CZ with 0.01 BNB
Authors: 23pds & Thinking
Editor: Sherry
Background
Yesterday, while I was organizing materials related to APT attacks, 23pds (@im23pds) suddenly came over to my desk excitedly:
“Thinking, I’ve found an interesting project that CZ frequently uses. We might be able to say hi to CZ at zero cost.”
We quickly outlined a few potential vulnerabilities:
- Hijacking CZ’s account on ReachMe
- Modifying CZ’s settings on ReachMe
- Sending a message to CZ without paying, bypassing the 1 BNB fee required to message him
About 10 minutes later, we discovered a vulnerability in ReachMe.io that allowed us to say hi to any user at a very low cost. We immediately reached out to the project team and provided details of the vulnerability validation. The team responded swiftly, fixing the issue right away and contacting us for retesting. Kudos to the ReachMe team for their rigorous and responsible approach to security!
Additionally, the SlowMist Security Team was honored to receive thanks from CZ and the ReachMe project team.
Discovery Process
ReachMe.io is a BNB Chain-based paid messaging platform designed to connect KOLs (Key Opinion Leaders) with their followers through cryptocurrency payments. Users must pay BNB to send private messages to KOLs, with 90% of the fee going to the recipient and 10% taken as a platform fee. If the KOL does not respond within 5 days, the user gets a 50% refund.
On March 27, 2025, Binance founder CZ updated his X bio to:
“DM: https://reachme.io/@cz_binance (fees go to charity)”
This meant users could direct message CZ on ReachMe, and the fees would be donated to charity.
We noticed that the cost to say hi to CZ was 1 BNB, so we brainstormed several potential workarounds and started testing ways to bypass this 1 BNB requirement to message him.
After some research with 23pds (@im23pds), we discovered that when sending a message to any KOL on ReachMe, the platform generates a message summary via the /api/kol/message
API.
This response contains an _id
field, which is then included in the on-chain contract function used for sending messages: Function: deposit(string _identifier, address _kolAddress). Here, the _identifier
parameter corresponds to the _id
value retrieved from the API.
Furthermore, the BNB required to send a message to a KOL is simply the amount attached when calling the contract function: Function: deposit. With this in mind, we crafted a transaction using the _identifier
corresponding to the message "Hi CZ" and CZ's address, then sent it to the contract with just 0.01 BNB (the minimum required was only 0.001 BNB).
Since ReachMe did not implement an on-chain verification mechanism for the preset messaging cost set by KOLs (perhaps to allow them to adjust prices more flexibly and save gas fees), it became possible to bypass the 1 BNB restriction through several methods:
- Modifying the front-end code
- Altering network response packets
- Interacting directly with the contract
This vulnerability arose because the backend, when retrieving transactions from the blockchain, failed to verify whether the message price matched the actual BNB amount in the transaction.
In about 10 minutes, we successfully bypassed the 1 BNB messaging requirement and managed to Say Hi to CZ for just 0.01 BNB.
It is also worth noting that there were more advanced exploitation possibilities, such as sending phishing messages to CZ via this method. Given CZ’s significant influence, we decided to discontinue further testing in this direction. As always, stay vigilant and beware of phishing attacks.
Conclusion
Products that combine centralized and decentralized elements often suffer from inconsistencies between on-chain and off-chain security checks. Attackers can exploit these discrepancies by analyzing interactions between the two to bypass certain restrictions.
The SlowMist security team strongly recommends that projects synchronize necessary security checks in both on-chain and off-chain code to prevent potential bypasses. Additionally, hiring professional security auditors can help identify and mitigate security risks.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.