BNB
by BSCN
October 7, 2022
BNB Chain resumed operations and apologized to the community while promising changes to prevent future hacks, following the bridge exploit.
BNB Chain has given an official account of the events of Thursday’s massive $580 million-plus hack after resuming operations Friday, apologizing to the community and promising to implement changes to prevent such attacks in the future.
“The exploit was through a sophisticated forging of the low level proof into one common library,” wrote the company in the response.
Translated into English, this means that the hacker(s) forged messages that convinced the bridge to send them BNB. BNB Chain’s note also included a number of actions the company will take next, including:
To recap, the hacker(s) exploited the BSC Token Hub cross-chain bridge – the bridge between the BNB Beacon Chain/BEP2 and BNBChain/BEP20 chains – essentially minting 2 million new BNB (value of about $580 million) that they sent to themselves in two separate transfers.
Security firms and researchers have posted several analyses of the attack on Twitter starting Thursday not long after the attack, with details continuing to be filled in as the community dissects on-chain events and analyzes the exploiter’s moves.
Security firm Ancilia, Inc. was among the first parties to notice the hack, which they were listed as having reported on BscScan shortly after the attack began.
Anonymous Twitter user and blockchain researcher “samczsun” was among the first to detail the event, which they chronicled shortly after the hack unfolded.
The first step in the attack seems to have been when the person(s) now known as the “BNB bridge exploiter” registered as a relayer for the BSC Token Hub bridge so they could position themselves for the exploit, explained samczun on Twitter shortly after the hack, along with their detailed analysis.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” wrote samczsun. “Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”
Once the hacker had the money, they began moving it off-chain in what some researchers have called sloppily executed and strangely slow. They managed to move about $90 million-$110 million off, according to different accounts, using it to buy stablecoins such as USDT and USDC via Venus Protocol and borrow ETH on Fantom, among other moves. Partway into the hacker’s attempt to move the funds, Tether froze about $10 million worth of USDT the hacker had acquired with the BNB.
Security firm PeckShield Inc. has analyzed the event and determined that closer to $90 million was moved off-chain, including about 58% to Ethereum, 33% to Fantom, and 4.5% to Arbitrum. How much the hacker has successfully made away with is still unclear, but BNB Chain noted in their response that a full and transparent “postmortem” is in progress and results will be made publicly available in hopes of helping other projects address vulnerabilities in their own bridges.
Latest News
0h : 52m ago
OKX Ventures, The Open Platform, and Folius Ventures Launch $10M Telegram Growth Hub
October 29, 2024
Is Bitcoin Set to Soar Even Higher?
October 29, 2024
DWF Labs Dismisses Partner Amid Drink-Spiking Allegations in Hong Kong
October 29, 2024
Visa and FV Bank Debut New Debit and Expense Cards, Bridging Crypto and Fiat Global Payments
October 29, 2024
Bitcoin Surges Past $71,000: What Could be the Possible Reasons?
October 29, 2024
Hong Kong Expands Tax Incentives to Include Virtual Assets, Targeting Institutional Investors
October 28, 2024
Dogecoin Surges Amid Musk and Trump Connections
October 28, 2024
Could Robinhood’s U.S.-Only Election Market Predict Results Better by Excluding Foreign Influence?