BRC20 Pinning Attack (2410.11295v3)

Abstract: BRC20 tokens are a type of non-fungible asset on the Bitcoin network. They allow users to embed customised content within Bitcoin's satoshis. The token frenzy reached a market size of US\$2.811\,b (2023Q3--2025Q1). However, this intuitive design has not undergone serious security scrutiny. We present the first analysis of BRC20's \emph{transfer} mechanism and identify a new attack vector. A typical BRC20 transfer involves two "bundled" on-chain transactions with different fee levels: the first (i.e., \textbf{Tx1}) with a lower fee inscribes the \textsf{transfer} request, while the second (i.e., \textbf{Tx2}) with a higher fee finalizes the actual transfer. An adversary can send a manipulated fee transaction (falling between the two fee levels), which causes \textbf{Tx1} to be processed while \textbf{Tx2} is pinned in the mempool. This locks BRC20 liquidity and disrupts normal withdrawal requests from users. We term this the \emph{BRC20 pinning attack}. We validated the attack in real-world settings in collaboration with Binance researchers. With their knowledge and permission, we conducted a controlled test against Binance's ORDI hot wallet, resulting in a temporary suspension of ORDI withdrawals for 3.5 hours. Recovery was performed shortly after. Further analysis confirms that the attack can be applied to over \textbf{90\%} of inscription-based tokens within the Bitcoin ecosystem.