This paper identifies a mempool pinning vulnerability in the BRC-20 token transfer mechanism: attackers exploit fee-tier differentials to inject mid-fee manipulative transactions that block high-fee critical transfers, causing liquidity lockup and withdrawal failures. We formally name and systematically model this “BRC-20 Pinning Attack”, revealing a fundamental security blind spot inherent to stateful inscribed tokens operating atop the UTXO model—impacting over 90% of Bitcoin-inscribed tokens due to this architectural flaw. Our methodology integrates mempool priority rule analysis, fee-competition modeling, on-chain behavioral reverse engineering, and real-world validation via Binance’s ORDI hot wallet, which suffered a 3.5-hour withdrawal suspension. We propose the first scalable risk assessment framework applicable to all fee-dependent inscribed tokens, enabling systematic vulnerability detection and prompting urgent industry response and protocol-level mitigation.

BRC20 tokens are a type of non-fungible asset on the Bitcoin network. They allow users to embed customized content within Bitcoin satoshis. The related token frenzy has reached a market size of US$2,650b over the past year (2023Q3-2024Q3). However, this intuitive design has not undergone serious security scrutiny. We present the first in-depth analysis of the BRC20 transfer mechanism and identify a critical attack vector. A typical BRC20 transfer involves two bundled on-chain transactions with different fee levels: the first (i.e., Tx1) with a lower fee inscribes the transfer request, while the second (i.e., Tx2) with a higher fee finalizes the actual transfer. We find that an adversary can exploit this by sending a manipulated fee transaction (falling between the two fee levels), which allows Tx1 to be processed while Tx2 remains pinned in the mempool. This locks the BRC20 liquidity and disrupts normal transfers for users. We term this BRC20 pinning attack. Our attack exposes an inherent design flaw that can be applied to 90+% inscription-based tokens within the Bitcoin ecosystem. We also conducted the attack on Binance's ORDI hot wallet (the most prevalent BRC20 token and the most active wallet), resulting in a temporary suspension of ORDI withdrawals on Binance for 3.5 hours, which were shortly resumed after our communication.